VYPR

Vendor CVEs

Buffalotech

All CVEs

78 total · sorted by risk
  • CVE-2026-45779CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or…

  • CVE-2026-45777CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This…

  • CVE-2026-33280CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.00

    Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands.

  • CVE-2026-32669CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.00

    Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products.

  • CVE-2026-27650CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.01

    OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.

  • CVE-2017-2126CriJul 22, 2017
    risk 0.64cvss 9.8epss 0.04

    WAPM-1166D firmware Ver.1.2.7 and earlier, WAPM-APG600H firmware Ver.1.16.1 and earlier allows remote attackers to bypass authentication and access the configuration interface via unspecified vectors.

  • CVE-2018-0556HigApr 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.

  • CVE-2018-0554HigApr 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors.

  • CVE-2018-0523HigMar 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.

  • CVE-2018-0521HigMar 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors.

  • CVE-2017-2273HigJul 22, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2016-7824HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.02

    Buffalo NC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to bypass access restriction to enable the debug option via unspecified vectors.

  • CVE-2016-7822HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows remote attackers to hijack the authentication of a logged in user to perform unintended operations via unspecified vectors.

  • CVE-2016-1134HigJan 22, 2016
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices…

  • CVE-2018-0555HigApr 9, 2018
    risk 0.51cvss 7.8epss 0.02

    Buffer overflow in Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to execute arbitrary code via a specially crafted file.

  • CVE-2018-0522HigMar 9, 2018
    risk 0.51cvss 7.8epss 0.01

    Buffer overflow in Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker to execute arbitrary code via a specially crafted file.

  • CVE-2026-32678HigMar 27, 2026
    risk 0.49cvss 7.5epss 0.00

    Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.

  • CVE-2025-26167HigMar 6, 2025
    risk 0.49cvss 7.5epss 0.00

    Buffalo LS520D 4.53 is vulnerable to Arbitrary file read, which allows unauthenticated attackers to access the NAS web UI and read arbitrary internal files.

  • CVE-2016-4815HigJun 19, 2016
    risk 0.49cvss 7.5epss 0.02

    Directory traversal vulnerability on BUFFALO WZR-600DHP3 devices with firmware 2.16 and earlier and WZR-S600DHP devices with firmware 2.16 and earlier allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2025-61941HigOct 15, 2025
    risk 0.47cvss 7.2epss 0.00

    A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration.

  • CVE-2025-61871MedOct 10, 2025
    risk 0.44cvss 6.7epss 0.00

    NAS Navigator2 Windows version by BUFFALO INC. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

  • CVE-2017-10811MedAug 18, 2017
    risk 0.44cvss 6.8epss 0.01

    Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an attacker to execute arbitrary OS commands via unspecified vectors.

  • CVE-2017-2152MedApr 28, 2017
    risk 0.44cvss 6.8epss 0.01

    WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors.

  • CVE-2015-8262MedDec 27, 2015
    risk 0.44cvss 6.8epss 0.01

    Buffalo WZR-600DHP2 devices with firmware 2.09, 2.13, and 2.16 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value.

  • CVE-2025-66954MedApr 20, 2026
    risk 0.42cvss 6.5epss 0.00

    A vulnerability exists in the Buffalo Link Station version 1.85-0.01 that allows unauthenticated or guest-level users to enumerate valid usernames and their associated privilege roles. The issue is triggered by modifying a parameter within requests sent to the /nasapi endpoint.

  • CVE-2016-7826MedJun 9, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to read arbitrary files via specially crafted POST requests.

  • CVE-2016-7825MedJun 9, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to read arbitrary files via specially crafted commands.

  • CVE-2016-7821MedJun 9, 2017
    risk 0.42cvss 6.5epss 0.02

    Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allow remote attackers to cause a denial of service against the management screen via unspecified vectors.

  • CVE-2016-4816MedJun 19, 2016
    risk 0.42cvss 6.5epss 0.01

    BUFFALO WZR-600DHP3 devices with firmware 2.16 and earlier and WZR-S600DHP devices allow remote attackers to discover credentials and other sensitive information via unspecified vectors.

  • CVE-2017-10896MedDec 8, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in Buffalo BBR-4HG and and BBR-4MG broadband routers with firmware 1.00 to 1.48 and 2.00 to 2.07 allows an attacker to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2017-2274MedJul 22, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-1135MedJan 22, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability on BUFFALO BHR-4GRV2 devices with firmware 1.04 and earlier, WEX-300 devices with firmware 1.90 and earlier, WHR-1166DHP devices with firmware 1.90 and earlier, WHR-300HP2 devices with firmware 1.90 and earlier, WHR-600D devices with…

  • CVE-2024-44072MedSep 10, 2024
    risk 0.37cvss 5.7epss 0.01

    OS command injection vulnerability exists in BUFFALO wireless LAN routers and wireless LAN repeaters. If a user logs in to the management page and sends a specially crafted request to the affected product from the product's specific management page, an arbitrary OS command may…

  • CVE-2026-45778MedJun 5, 2026
    risk 0.35cvss 5.4epss 0.00

    OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when…

  • CVE-2026-33366MedMar 27, 2026
    risk 0.34cvss 5.3epss 0.00

    Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication.

  • CVE-2026-29516MedMar 16, 2026
    risk 0.32cvss 4.9epss 0.01

    Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the webserver. Attackers can exploit…

  • CVE-2017-10897MedDec 8, 2017
    risk 0.29cvss 4.5epss 0.00

    Input validation issue in Buffalo BBR-4HG and and BBR-4MG broadband routers with firmware 1.00 to 1.48 and 2.00 to 2.07 allows an attacker to cause the device to become unresponsive via unspecified vectors.

  • CVE-2026-45776MedJun 5, 2026
    risk 0.28cvss 4.3epss 0.00

    OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an…

  • CVE-2025-46413MedNov 7, 2025
    risk 0.28cvss 4.3epss 0.00

    Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an attacker.

  • CVE-2016-7823MedJun 9, 2017
    risk 0.28cvss 4.3epss 0.00

    Cross-site scripting vulnerability in Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2021-20090KEVApr 29, 2021
    risk 0.20cvss epss 1.00

    A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.

  • CVE-2021-20091Apr 29, 2021
    risk 0.07cvss epss 0.09

    The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code…

  • CVE-2021-20092Apr 29, 2021
    risk 0.06cvss epss 0.08

    The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.

  • CVE-2023-51073Jan 11, 2024
    risk 0.02cvss epss 0.01

    An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to execute arbitrary code via the Firmware Update Script at /etc/init.d/update_notifications.sh.

  • CVE-2018-13320Nov 26, 2018
    risk 0.01cvss epss 0.03

    System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.

  • CVE-2018-13318Nov 26, 2018
    risk 0.01cvss epss 0.03

    System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.

  • CVE-2024-26023Apr 15, 2024
    risk 0.00cvss epss 0.01

    OS command injection vulnerability in BUFFALO wireless LAN routers allows a logged-in user to execute arbitrary OS commands.

  • CVE-2024-23486Apr 15, 2024
    risk 0.00cvss epss 0.01

    Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials.

  • CVE-2023-49038Jan 29, 2024
    risk 0.00cvss epss 0.02

    Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root.

  • CVE-2023-51363Dec 26, 2023
    risk 0.00cvss epss 0.00

    VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacent unauthenticated attacker who can access the product's web management page to obtain sensitive information.

Page 1 of 2