Sync EUVD catalog: Wed Apr 29 00:47:16 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

advisories/2026/04/EUVD-2024-55558.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-55558",
+  "enisaUuid": "7dd0b5bb-8e45-327f-a66a-e212837634fa",
+  "description": "Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests,\u00a0causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.",
+  "datePublished": "Apr 28, 2026, 6:51:33 AM",
+  "dateUpdated": "Apr 28, 2026, 6:51:33 AM",
+  "baseScore": 5.3,
+  "baseScoreVersion": "4.0",
+  "baseScoreVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
+  "references": "https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf\n",
+  "aliases": "CVE-2024-54011\n",
+  "assigner": "Hanwha_Vision",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "28f574d7-49e0-31d8-8d3b-aa20e85d804c",
+      "product": {
+        "name": "QND-8080R"
+      },
+      "product_version": "0 <2.24.00"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "7396b8be-0e79-3512-bacf-35f7972cc5f6",
+      "vendor": {
+        "name": "Hanwha Vision"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-55559.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-55559",
+  "enisaUuid": "48c30473-7719-3928-b3b5-1d8c008e451a",
+  "description": "Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer's report for details and workarounds.",
+  "datePublished": "Apr 28, 2026, 7:03:58 AM",
+  "dateUpdated": "Apr 28, 2026, 7:03:58 AM",
+  "baseScore": 8.5,
+  "baseScoreVersion": "4.0",
+  "baseScoreVector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+  "references": "https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf\n",
+  "aliases": "CVE-2024-54012\n",
+  "assigner": "Hanwha_Vision",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "0d182bb7-f435-3926-894c-5f6e34852456",
+      "product": {
+        "name": "QND-8080R"
+      },
+      "product_version": "0 <2.24.00"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "c431a01b-0441-3bd2-aa92-af275d320298",
+      "vendor": {
+        "name": "Hanwha Vision"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-55560.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-55560",
+  "enisaUuid": "b7e1eedd-d382-3b8e-b1e2-485ed26652aa",
+  "description": "Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds",
+  "datePublished": "Apr 28, 2026, 7:06:17 AM",
+  "dateUpdated": "Apr 28, 2026, 7:06:17 AM",
+  "baseScore": 8.7,
+  "baseScoreVersion": "4.0",
+  "baseScoreVector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
+  "references": "https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf\n",
+  "aliases": "CVE-2024-54013\n",
+  "assigner": "Hanwha_Vision",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "b5f9ca02-6883-3f54-a714-b95b23087425",
+      "product": {
+        "name": "QND-8080R"
+      },
+      "product_version": "0 <2.24.00"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "4c0f685f-745c-36d0-a59b-3d84738b4eb9",
+      "vendor": {
+        "name": "Hanwha Vision"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2025-209580.json

@@ -0,0 +1,29 @@
+{
+  "id": "EUVD-2025-209580",
+  "enisaUuid": "3208ac04-d75a-3bb4-a1b4-52cbd4df63a6",
+  "description": "Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.",
+  "datePublished": "Apr 28, 2026, 7:52:23 AM",
+  "dateUpdated": "Apr 28, 2026, 7:52:23 AM",
+  "baseScore": 0.0,
+  "references": "https://r.sec-consult.com/desktime\nhttps://desktime.com/download\n",
+  "aliases": "CVE-2025-10539\n",
+  "assigner": "SEC-VLab",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "4953a77b-bede-32c3-a8e1-029beada3c48",
+      "product": {
+        "name": "DeskTime Time Tracking App"
+      },
+      "product_version": "0 <1.3.674"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "2d7cc0f9-421c-3e67-b265-8c4f60a2289c",
+      "vendor": {
+        "name": "DeskTime"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2025-209581.json

@@ -0,0 +1,29 @@
+{
+  "id": "EUVD-2025-209581",
+  "enisaUuid": "08860d1a-54e7-392b-b5d5-aaccc3e19d06",
+  "description": "Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\n\nDescription: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal \"free(): invalid pointer\" error message.",
+  "datePublished": "Apr 28, 2026, 9:11:44 AM",
+  "dateUpdated": "Apr 28, 2026, 9:50:39 AM",
+  "baseScore": 0.0,
+  "references": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql\n",
+  "aliases": "CVE-2025-48431\n",
+  "assigner": "apache",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "ed526a38-1d33-3a8c-a0eb-bd61dc520cdc",
+      "product": {
+        "name": "Apache Thrift"
+      },
+      "product_version": "0 <0.23.0"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "df885d76-036a-3222-8a3d-e2068afc438c",
+      "vendor": {
+        "name": "Apache Software Foundation"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2025-209582.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2025-209582",
+  "enisaUuid": "7873005d-b373-3724-bcab-7fae1f5fae20",
+  "description": "An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.",
+  "datePublished": "Apr 28, 2026, 12:00:00 AM",
+  "dateUpdated": "Apr 28, 2026, 3:09:31 PM",
+  "baseScore": 5.3,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N",
+  "references": "http://cista.com\nhttps://gist.github.com/TrebledJ/66cc0ed37bdb3e70ce0ef98396790771\n",
+  "aliases": "CVE-2025-60887\n",
+  "assigner": "mitre",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "94f9e49e-217a-3ba1-a51c-8a74d0a09ea3",
+      "product": {
+        "name": "n/a"
+      },
+      "product_version": "n/a"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "1c1a1f65-8081-3913-9ad5-1e0e6a40810f",
+      "vendor": {
+        "name": "n/a"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2025-209583.json

@@ -0,0 +1,29 @@
+{
+  "id": "EUVD-2025-209583",
+  "enisaUuid": "9a97962e-4695-3fad-a3cc-d8d1f48286ec",
+  "description": "Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.",
+  "datePublished": "Apr 28, 2026, 12:00:00 AM",
+  "dateUpdated": "Apr 28, 2026, 3:16:37 PM",
+  "baseScore": 0.0,
+  "references": "http://hpx.com\nhttp://stellargroup.com\nhttps://gist.github.com/TrebledJ/b32fd5c469583493ab50244045c9a6e4\n",
+  "aliases": "CVE-2025-60889\n",
+  "assigner": "mitre",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "f32f8d06-314c-3708-8da4-61fa1925d50c",
+      "product": {
+        "name": "n/a"
+      },
+      "product_version": "n/a"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "f5dfdffc-18d2-3a34-9d0f-8f9456384d5d",
+      "vendor": {
+        "name": "n/a"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2025-209585.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2025-209585",
+  "enisaUuid": "ab6d5584-0100-3b26-8255-c2b353a129a0",
+  "description": "The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.",
+  "datePublished": "Apr 28, 2026, 12:00:00 AM",
+  "dateUpdated": "Apr 28, 2026, 3:56:56 PM",
+  "baseScore": 7.5,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+  "references": "https://docs.arandasoft.com/at-v8-release-notes/en/pages/release_pdf/file_server.html\nhttps://arandasoft.com/en/productos/aranda-service-management/\nhttps://github.com/brandonperezlara/CVE-2025-67223\n",
+  "aliases": "CVE-2025-67223\n",
+  "assigner": "mitre",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "34bcc1b6-8a54-3014-88ea-9816cf2dd0cf",
+      "product": {
+        "name": "n/a"
+      },
+      "product_version": "n/a"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "b374d58f-26b9-3721-83c2-2c892cceecd5",
+      "vendor": {
+        "name": "n/a"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2026-25960.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2026-25960",
+  "enisaUuid": "8fff7e96-93af-3baa-a471-dae326051ded",
+  "description": "A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used.",
+  "datePublished": "Apr 28, 2026, 12:00:23 AM",
+  "dateUpdated": "Apr 28, 2026, 12:00:23 AM",
+  "baseScore": 9.3,
+  "baseScoreVersion": "4.0",
+  "baseScoreVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
+  "references": "https://vuldb.com/vuln/359803\nhttps://vuldb.com/vuln/359803/cti\nhttps://vuldb.com/submit/801528\nhttps://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_322/README.md\nhttps://www.totolink.net/\n",
+  "aliases": "CVE-2026-7203\n",
+  "assigner": "VulDB",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "99e4c251-0f06-335c-a6a3-7c6c650febfa",
+      "product": {
+        "name": "A8000RU"
+      },
+      "product_version": "7.1cu.643_b20200521"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "47dac9c1-0dbf-360a-9c9c-a294e04bcc2d",
+      "vendor": {
+        "name": "Totolink"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2026-25961.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2026-25961",
+  "enisaUuid": "82418276-3472-3cf8-a088-c97cac9d1bb6",
+  "description": "A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.",
+  "datePublished": "Apr 28, 2026, 12:15:15 AM",
+  "dateUpdated": "Apr 28, 2026, 12:15:15 AM",
+  "baseScore": 9.3,
+  "baseScoreVersion": "4.0",
+  "baseScoreVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
+  "references": "https://vuldb.com/vuln/359804\nhttps://vuldb.com/vuln/359804/cti\nhttps://vuldb.com/submit/801530\nhttps://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_323/README.md\nhttps://www.totolink.net/\n",
+  "aliases": "CVE-2026-7204\n",
+  "assigner": "VulDB",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "2f406f17-7f11-38e8-bbea-9e24de0b98d9",
+      "product": {
+        "name": "A8000RU"
+      },
+      "product_version": "7.1cu.643_b20200521"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "3b9982b7-e16b-3c64-8ca4-f500f726cd5a",
+      "vendor": {
+        "name": "Totolink"
+      }
+    }
+  ]
+}