Search Results (11 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-60094 1 Vinchin 1 Backup & Recovery 2026-07-10 6.5 Medium
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
CVE-2026-60095 1 Vinchin 1 Backup & Recovery 2026-07-10 6.5 Medium
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
CVE-2024-25228 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 8.8 High
Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.
CVE-2024-22903 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 8.8 High
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.
CVE-2024-22902 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 9.8 Critical
Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.
CVE-2024-22901 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 9.8 Critical
Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.
CVE-2024-22900 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 8.8 High
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.
CVE-2024-22899 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 8.8 High
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.
CVE-2023-45498 1 Vinchin 1 Vinchin Backup And Recovery 2025-06-12 9.8 Critical
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
CVE-2023-45499 1 Vinchin 1 Vinchin Backup And Recovery 2024-11-21 9.8 Critical
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
CVE-2022-35866 1 Vinchin 1 Vinchin Backup And Recovery 2024-11-21 9.8 Critical
This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.