High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = …), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | 10 | CVE-2026-34208 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj |
| Davidtavarez–CF Image Hosting Script | CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. | 2026-04-12 | 9.8 | CVE-2019-25709 | ExploitDB-46094 Official Product Homepage Product Reference VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Access |
| Beijing Topsec Network Security Technology Co., Ltd.–Tianxin Internet Behavior Management System | Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). | 2026-04-07 | 9.8 | CVE-2021-4473 | https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972 https://www.cnvd.org.cn/patchInfo/show/280166 https://cn-sec.com/archives/4631959.html https://avd.aliyun.com/detail?id=AVD-2021-890232 https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php |
| Contemporary Controls–BASControl20 | An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. | 2026-04-09 | 9.8 | CVE-2025-13926 | https://www.ccontrols.com/support/contacttech.htm This article has been indexed from Bulletins
Read the original article: Post navigation |