Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. More information : https://community.acer.com/en/kb/articles/19672

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. More information : https://community.acer.com/en/kb/articles/19672

The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. More information : https://community.acer.com/en/kb/articles/19672

Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. More information : https://community.acer.com/en/kb/articles/19672

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users’ browsers upon page load. More information...

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users’ browsers upon page load. More information...

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal...

A flaw was found in the Quay config-tool’s LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or...

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied...

The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘carousel_direction’ parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to...

An SQL injection vulnerability exists in Mautic’s API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. More...

Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set...

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler...

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input...