VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202607-1235 CVE-2026-15270 D-Link Corporation of DIR-823G  Multiple vulnerabilities in firmware CVSS V2: 7.1
CVSS V3: 7.5
Severity: Medium
A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. Performing an unauthorized operation could result in a breach of the principle of least privilege. Although it was thought to be difficult to exploit, exploits that can be used in attacks have already been made public.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202607-1231 CVE-2026-24700 Cisco Systems Cisco RV110W Wireless-N VPN Firewall  Firmware and other multiple products OS  Command injection vulnerability CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202607-1163 CVE-2026-24699 Cisco Systems Cisco RV110W Wireless-N VPN Firewall  Firmware and other multiple products OS  Command injection vulnerability CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202607-1230 CVE-2026-24698 Cisco Systems Cisco RV110W Wireless-N VPN Firewall  Firmware and other multiple products OS  Command injection vulnerability CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
An OS command injection vulnerability exists in the save_syslog_to_file() function of the "httpd" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The model_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202607-1138 CVE-2026-24697 Cisco Systems Cisco RV110W Wireless-N VPN Firewall  Firmware and other multiple products OS  Command injection vulnerability CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The wan_hostname configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202606-6113 CVE-2026-9105 TP-LINK Technologies of TL-WR841N  Multiple vulnerabilities in firmware CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14. A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process. Successful exploitation results in a denial-of-service condition, causing the device to crash and automatically reboot. An authenticated remote attacker can exploit this vulnerability with a specially crafted weapon. If exploited successfully, this can lead to a denial of service. DoS The device enters this state, crashes, and automatically restarts.- No information handled by the software will be leaked to external parties. - No information handled by the software will be rewritten. - The software may completely shut down
VAR-202606-6401 CVE-2026-13545 D-Link Corporation of DCS-935L  Multiple vulnerabilities in firmware CVSS V2: 9.0
CVSS V3: 8.8
Severity: High
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The exploit is publicly available and can be exploited.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202606-4422 CVE-2026-12760 TP-LINK Technologies of tapo c200  Unlimited or Throttling Resource Allocation Vulnerability in Firmware CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.   An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording. - No information handled by the software will be rewritten. - The software may completely shut down
VAR-202606-4313 CVE-2026-54317 Home Assistant Multiple vulnerabilities in CVSS V2: -
CVSS V3: 7.6
Severity: HIGH
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0. This vulnerability 2026.6.0 has been fixed.- All information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - Part of the software may stop working
VAR-202606-5967 CVE-2026-52846 Light Code Labs of Caddy Encoding and escaping vulnerabilities in CVSS V2: -
CVSS V3: 4.2
Severity: MEDIUM
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. This vulnerability is fixed in 2.11.4. XSS This vulnerability is present in version 2.11.4 has been fixed.- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
VAR-202606-5321 CVE-2026-52845 Light Code Labs of Caddy Multiple vulnerabilities in CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4. 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
VAR-202606-5117 CVE-2026-52844 Light Code Labs of Caddy Multiple vulnerabilities in CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4. Caddy is the default TLS This is a highly scalable server platform that uses version 2.11.4 Before Windows In the environment, Caddy The pass matcher is /private¥secret.txt of /private/* It is recognized as an external entity, file_server The same request path on disk private¥secret.txt It will be processed as follows: This will allow unauthenticated remote clients to /private/* Protect Caddy The path scope auth/deny It may be possible to bypass root access. This vulnerability is in version 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - No rewriting will occur to the information handled by the software. - The software will not stop
VAR-202606-4388 CVE-2026-45692 Light Code Labs of Caddy Multiple vulnerabilities in CVSS V2: -
CVSS V3: 5.4
Severity: MEDIUM
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3. 2.11.3 Fixed in- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
VAR-202606-5937 CVE-2026-45135 Light Code Labs of Caddy Multiple vulnerabilities in CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3. ASCII If it contains bytes golang.org/x/text/search of search.IgnoreCase I was misusing it. URL Creating this could lead to remote code execution. This vulnerability is in version 2.11.3 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software may completely shut down
VAR-202606-4184 CVE-2026-49872 Apache Software Foundation of APISIX Authentication vulnerability in CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 We recommend that you upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
VAR-202606-4138 CVE-2026-49871 Apache Software Foundation of APISIX Cross-site request forgery vulnerability in CVSS V2: -
CVSS V3: 9.3
Severity: CRITICAL
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. ID It may be authenticated as such. ID This will be attributed to [the relevant party]. 3.17.0 We recommend upgrading to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
VAR-202606-3855 CVE-2026-49231 Apache Software Foundation of APISIX Spoofing authentication evasion vulnerability in CVSS V2: -
CVSS V3: 5.4
Severity: MEDIUM
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 We recommend that you upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
VAR-202606-3791 CVE-2026-49230 Apache Software Foundation of APISIX Vulnerability related to insufficient data integrity verification in CVSS V2: -
CVSS V3: 9.1
Severity: CRITICAL
Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass.   This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop
VAR-202606-3913 CVE-2026-48895 Apache Software Foundation of APISIX Open redirect vulnerability in CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop
VAR-202606-3914 CVE-2026-47341 Apache Software Foundation of APISIX In Capture-replay  Authentication Bypass Vulnerability CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- Some of the information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - The software will not stop