Security Vulnerabilities
Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default,
The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
CVSS Score
7.2
EPSS Score
0.003
Published
2026-01-09
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-01-09
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
CVSS Score
3.5
EPSS Score
0.0
Published
2026-01-09
This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
CVSS Score
10.0
EPSS Score
0.001
Published
2026-01-09
This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.
CVSS Score
8.6
EPSS Score
0.001
Published
2026-01-09
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-01-09
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
CVSS Score
10.0
EPSS Score
0.001
Published
2026-01-09
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
CVSS Score
8.0
EPSS Score
0.0
Published
2026-01-09
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-01-09
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-01-09