High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a– OVMS3 3.3.005 | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames. | 2026-05-01 | 10 | CVE-2026-37541 | https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| tendacn[.]com– W308R | Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25316 | ExploitDB-44373 VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change |
| tendacn[.]com–W3002R | Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers. | 2026-04-29 | 9.8 | CVE-2018-25317 | ExploitDB-44380 VulnCheck Advisory: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change |
| tendacn[.]com–FH303/A300 | Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25318 | ExploitDB-44381 VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change |
| Weaver Network Co., Ltd.–E-office | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC). | 2026-04-30 | 9.8 | CVE-2022-50993 |
This article has been indexed from Bulletins
Read the original article: Post navigation |