xyh4ck

5 exploits Active since Sep 2025
CVE-2026-7633 WRITEUP MEDIUM WORKING POC
Totolink N300RH cstecgi.cgi setUploadSetting file inclusion
A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used.
CVSS 6.5
CVE-2026-6158 WRITEUP HIGH WORKING POC
Totolink N300RH upgrade.so setUpgradeUboot os command injection
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS 7.3
CVE-2025-15356 WRITEUP HIGH WRITEUP
Tenda Ac20 Firmware < 16.03.08.12 - Memory Corruption
A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 8.8
CVE-2025-15357 WRITEUP MEDIUM WORKING POC
Dlink Di-7400g+ Firmware - Command Injection
A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVSS 6.3
CVE-2025-9769 WRITEUP MEDIUM WORKING POC
Dlink Di-7400g+ Firmware - Command Injection
A security flaw has been discovered in D-Link DI-7400G+ 19.12.25A1. Affected is the function sub_478D28 of the file /mng_platform.asp. The manipulation of the argument addr with the input `echo 12345 > poc.txt` results in command injection. An attack on the physical device is feasible. The exploit has been released to the public and may be exploited.
CVSS 4.1