Security Vulnerabilities
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS Score
9.8
EPSS Score
0.001
Published
2026-01-19
A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-01-19
SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
CVSS Score
9.8
EPSS Score
0.0
Published
2026-01-19
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
CVSS Score
7.6
EPSS Score
0.0
Published
2026-01-19
A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-01-19
A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-01-19
A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-01-19
A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-01-19
A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-01-19
A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-01-19