Jarosław Wawiórko

**Name of the Vulnerable Software and Affected Versions** 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) versions prior to 3.0.59B2024080600R4353 **Description** Authenticated users can execute arbitrary shell commands with root privileges. This is possible by providing a malicious payload in the "IP address" field of the diagnosis test tools. **Recommendations** Update to firmware version 3.0.59B2024080600R4353.

**Name of the Vulnerable Software and Affected Versions** FluentCMS version 2026 **Description** FluentCMS version 2026 has a stored cross-site scripting issue. Authenticated administrators can upload SVG files containing JavaScript through the File Management module. An attacker can upload a malicious SVG file, and when a user accesses the file’s URL, JavaScript will execute in their browser. The vulnerable module is the File Management module, and the attack vector involves uploading SVG files. **Recommendations** Apply updates to address the issue in the File Management module. Restrict file uploads to trusted sources. Sanitize uploaded SVG files to remove any embedded JavaScript code.