Overview CVE-2025-13800 is a medium severity command injection vulnerability identified in ADSLR NBR1005GPEV2 routers running firmware version 250814-r037c. This flaw allows remote attackers to execute arbitrary commands on the affected device by manipulating the mac argument within the set_mesh_disconnect function of the /send_order.cgi file. The exploit for this vulnerability is publicly available, increasing the risk of exploitation. Technical Details The vulnerability resides in the set_mesh_disconnect function within the /send_order.cgi script. Improper sanitization of the mac argument allows an attacker to inject arbitrary commands into the system’s shell. By crafting a malicious request containing shell metacharacters within the mac parameter, an…

Overview A critical security vulnerability, identified as CVE-2025-64772, has been discovered in the installer of Sony’s INZONE Hub software, specifically versions 1.0.10.3 to 1.0.17.0. This vulnerability stems from an insecure DLL search path, which could allow a malicious actor to execute arbitrary code on a user’s system with the same privileges as the user running the installer. Technical Details The vulnerability is rooted in the way the INZONE Hub installer searches for and loads Dynamic Link Libraries (DLLs). Due to an improperly configured search path, the installer may inadvertently load a malicious DLL from a location controlled by an attacker…

Overview CVE-2025-13799 is a medium-severity command injection vulnerability identified in the ADSLR NBR1005GPEV2 router, specifically affecting firmware version 250814-r037c. This flaw allows a remote attacker to execute arbitrary commands on the device by manipulating the mac argument within the ap_macfilter_del function of the /send_order.cgi file. The vulnerability has been publicly disclosed and an exploit is available. Unfortunately, the vendor has not responded to vulnerability reports. Technical Details The vulnerability resides in the ap_macfilter_del function within the /send_order.cgi script of the ADSLR NBR1005GPEV2 router. The script fails to properly sanitize user-supplied input for the mac parameter. By injecting malicious commands into…

Overview CVE-2025-13798 is a medium-severity vulnerability affecting ADSLR NBR1005GPEV2 routers with firmware version 250814-r037c. This flaw allows a remote attacker to inject arbitrary commands through the ap_macfilter_add function in the /send_order.cgi file. The vulnerability stems from improper sanitization of the mac argument, leading to command execution with elevated privileges. This issue has been publicly disclosed and a proof-of-concept exploit is available, increasing the risk of exploitation in the wild. The vendor was contacted regarding this vulnerability but has not yet provided a response. Technical Details The vulnerability lies within the ap_macfilter_add function, accessed via the /send_order.cgi endpoint. By manipulating the…

Overview CVE-2025-13797 is a medium-severity command injection vulnerability discovered in ADSLR B-QE2W401 routers, specifically affecting firmware version 250814-r037c. This vulnerability allows remote attackers to execute arbitrary commands on the device by manipulating the del_swifimac argument within the /send_order.cgi file. The exploit is publicly available, making it crucial for users to understand and mitigate this risk. The vendor was notified but did not respond to the disclosure. Technical Details The vulnerability lies within the parameterdel_swifimac function of the /send_order.cgi script. Improper sanitization of user-supplied input to this parameter allows an attacker to inject arbitrary commands into the system’s operating system. By…

Overview CVE-2025-13796 identifies a Server-Side Request Forgery (SSRF) vulnerability present in deco-cx applications up to version 0.120.1. This flaw allows a remote attacker to potentially force the application to make requests to unintended locations, potentially exposing sensitive internal resources or performing actions on behalf of the server. Upgrading to version 0.120.2 is strongly recommended to address this security issue. Technical Details The vulnerability resides within the AnalyticsScript function found in the website/loaders/analyticsScript.ts file of the deco-cx apps. Specifically, the component affected is the Parameter Handler. By manipulating the url argument, an attacker can inject arbitrary URLs, causing the server to…

Overview CVE-2025-13795 describes a Cross-Site Scripting (XSS) vulnerability found in the codingWithElias School Management System, specifically in versions up to commit f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. This vulnerability allows a remote attacker to inject malicious scripts into the “First Name” field on the Edit Student Info page, potentially compromising user accounts and data. The vendor was contacted but did not respond. Technical Details The vulnerability resides within the /student-view.php file of the codingWithElias School Management System. Specifically, the “First Name” argument on the Edit Student Info page is not properly sanitized. This lack of input validation allows an attacker to inject malicious JavaScript code.…

Overview CVE-2025-35028 is a critical vulnerability affecting the HexStrike AI MCP (Management and Control Plane) server. This command injection vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected server. Due to the severity and ease of exploitation, immediate action is recommended to mitigate this risk. Technical Details The vulnerability resides in the EnhancedCommandExecutor class of the HexStrike AI MCP server. Specifically, when an API endpoint created by this class receives a command-line argument starting with a semicolon (;), the server fails to properly sanitize this input. Consequently, the crafted command is executed directly with the…

Overview CVE-2025-13793 identifies a Cross-Site Scripting (XSS) vulnerability found in the winston-dsouza Ecommerce-Website, specifically in versions up to commit 87734c043269baac0b4cfe9664784462138b1b2e. This vulnerability allows remote attackers to inject arbitrary web scripts into the browser of unsuspecting users. The vendor, winston-dsouza, has not responded to attempts at responsible disclosure, leaving websites using this software vulnerable. Technical Details The vulnerability resides within the /includes/header_menu.php file of the Ecommerce-Website. The application fails to properly sanitize user-supplied input passed through the Error GET parameter. By manipulating this parameter, an attacker can inject malicious JavaScript code that will be executed in the context of the user’s…

Overview A high-severity code injection vulnerability, identified as CVE-2025-13792, has been discovered in Qualitor versions 8.20 and 8.24. This vulnerability allows remote attackers to inject arbitrary code via the passageiros argument in the getResumo.php file within the /html/st/stdeslocamento/request/ directory. The exploit is publicly available and actively being exploited. The vendor was contacted but has not responded to the disclosure. Technical Details The vulnerability resides in the eval function within /html/st/stdeslocamento/request/getResumo.php. By manipulating the passageiros argument, an attacker can inject and execute arbitrary code on the server. This occurs because the input isn’t properly sanitized or validated before being passed to…