CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
D-Link DIR-600L Hardware Revision A1 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the default username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir600l'.
D-Link DIR-600L Hardware Revision B1 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the username 'Alphanetworks' and the static password 'wrgn61_dlwbr_dir600L'.
D-Link DIR-605L Hardware Revision B2 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the username 'Alphanetworks' and the static password 'wrgn76_dlwbr_dir605L'.
Notesnook has a stored XSS vulnerability that can lead to remote code execution in the desktop app. The issue arises from exported note fields being inserted into the HTML template without proper escaping.
Evolver is an AI self-evolving engine that prior to version 1.69.3 had a command injection vulnerability in the _extractLLM() function. This allows attackers to execute arbitrary shell commands on the server due to improper handling of parameters.
In Apache OpenNLP before versions 1.9.5, 2.5.9, and 3.0.0-M3, the ExtensionLoader.instantiateExtension() method loads a class by name from a model's manifest.properties, executing its static initializer before type checking. An attacker can supply a crafted model to trigger arbitrary class initialization, potentially leading to remote code execution.
An XML External Entity (XXE) vulnerability was found in Apache OpenNLP's DictionaryEntryPersistor class. The class initializes a SAX parser without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing, allowing an attacker to inject a malicious DOCTYPE declaration in a dictionary file. This can lead to local file disclosure (file://) or server-side request forgery (SSRF) during parsing.
vm2 version 3.10.4 contains a vulnerability allowing full sandbox escape and arbitrary code execution on the host. An attacker can obtain the host process object and run commands without any host cooperation.
A vulnerability in the vm2 library for Node.js allows attackers to escape the sandbox and execute arbitrary code via the SuppressedError mechanism. The issue is fixed in version 3.11.0.
Buffer overflow due to incorrect authorization in PLC firmware.
A vulnerability in the vm2 library for Node.js allows sandbox escape via the inspect function. Attackers can execute arbitrary commands on the host system.
A vulnerability in the vm2 library for Node.js allows bypassing the fix for CVE-2023-37466. Attackers can write code that escapes the VM2 sandbox and executes arbitrary commands on the host system.
A vulnerability in the vm2 library for Node.js allows sandbox escape and arbitrary command execution on the host system. The issue is fixed in version 3.11.0.
The 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the 'IP address' field of the diagnosis test tools.
A buffer overflow vulnerability was found in the Assimp library up to version 6.0.2 in the FBX Importer. The issue occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation.
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file where the declared tensor offset and size exceed the file's actual length, leading to reading memory past the allocated buffer.
A security flaw has been discovered in Totolink N300RH version 3.2.4-B20220812 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the Parameter Handler component. Manipulating the Password argument results in a buffer overflow, which can be exploited in remote attacks.
W aplikacji wsparcia online firmy Tegsoft Management and Information Services Trade Limited Company występuje podatność na atak typu 'cross-site scripting' (XSS) z powodu niewłaściwego neutralizowania danych wejściowych podczas generowania stron internetowych. Problem ten dotyczy wersji aplikacji od V3 do 31122025.
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. Manipulation of the http_host argument results in buffer overflow.

