CVE-2025-34036 – TVT Cross Web Server OS Command Injection

June 23, 2025

CVE ID : CVE-2025-34036

Published : June 24, 2025, 1:15 a.m. | 46 minutes ago

Description : An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called “Cross Web Server” that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-34037 – Linksys E-Series Router OS Command Injection Vulnerability

Next Article CVE-2025-34035 – EnGenius EnShare Cloud Service OS Command Injection

Highlights

CVE-2025-6453 – Diyhi BBS Path Traversal Vulnerability

June 22, 2025

CVE ID : CVE-2025-6453

Published : June 22, 2025, 3:15 a.m. | 10 hours, 28 minutes ago

Description : A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. The manipulation of the argument dirName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

The Power Of The Intl API: A Definitive Guide To Browser-Native Internationalization

This week in AI dev tools: GPT-5, Claude Opus 4.1, and more (August 8, 2025)

Elastic simplifies log analytics for SREs and developers with launch of Log Essentials

OpenAI launches GPT-5

5 ways business leaders can transform workplace culture – and it starts by listening

My 4 favorite image editing apps on Linux – and two are free Photoshop alternatives

How Google’s Genie 3 could change AI video – and let you build your own interactive worlds

How you’re charging your tablet is slowly killing it – 3 methods to avoid (and the right way)

Establishing Consistent Data Foundations with Laravel’s Database Population System

Establishing Consistent Data Foundations with Laravel’s Database Population System

Generate Postman Collections from Laravel Routes

This Week in Laravel: Free Laravel Idea, Laracon News, and More

Lenovo Legion Go 2 vs Legion Go — How Do These Gaming Handhelds Compare Based on Rumored Specs?

Lenovo Legion Go 2 vs Legion Go — How Do These Gaming Handhelds Compare Based on Rumored Specs?

9 Default Settings in Windows 11 You Didn’t Know Could Affect Performance and Privacy

DICE Responds to Battlefield 6 Community: Key Updates on Map Flow and Class Mechanics

CVE-2025-34036 – TVT Cross Web Server OS Command Injection

Black Hat USA 2025: Does successful cybersecurity today increase cyber-risk tomorrow?

Black Hat USA 2025: Policy compliance and the myth of the silver bullet

CVE-2025-54309 – CrushFTP Remote Admin Access Vulnerability

Google confirms Gemini for Chrome on Windows 11, teases big AI upgrade

asdf is an extendable version manager

NVIDIA to manufacture AI supercomputers in the U.S. for the first time

CVE-2025-6453 – Diyhi BBS Path Traversal Vulnerability

lstr – fast, minimalist directory tree viewer

After Android, Microsoft Edge for iOS gets a native extensions feature

Rilasciato Calibre 8.7: Novità e Miglioramenti per la Gestione degli E-book

CVE-2025-34036 – TVT Cross Web Server OS Command Injection

Related Posts