Aggregates CVE and security vulnerability intelligence across all Buffalo-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk path handling, vendor risk cross-site scripting, and vendor risk buffer overflow; exposure may include vendor impact application crash in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-45779 | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time | [email protected] | 9.3 | 0.43% | 2026-06-05 | 2026-06-10 |
| CVE-2026-45778 | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are imp | [email protected] | 8.6 | 0.05% | 2026-06-05 | 2026-06-10 |
| CVE-2026-45777 | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was re | [email protected] | 9.3 | 0.06% | 2026-06-05 | 2026-06-10 |
| CVE-2026-45776 | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior | [email protected] | 5.3 | 0.03% | 2026-06-05 | 2026-06-10 |
| CVE-2026-33366 | Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allow an attacker to forcibly reboot the product without authentication. | [email protected] | 6.9 | 0.15% | 2026-03-27 | 2026-03-31 |
| CVE-2026-33280 | Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands. | [email protected] | 8.6 | 0.07% | 2026-03-27 | 2026-03-31 |
| CVE-2026-32678 | Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication. | [email protected] | 8.7 | 0.07% | 2026-03-27 | 2026-03-31 |
| CVE-2026-32669 | Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary code may be executed on the products. | [email protected] | 8.7 | 0.05% | 2026-03-27 | 2026-03-31 |
| CVE-2026-27650 | OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products. | [email protected] | 8.6 | 0.12% | 2026-03-27 | 2026-03-31 |
| CVE-2024-26023 | OS command injection vulnerability in BUFFALO wireless LAN routers allows a logged-in user to execute arbitrary OS commands. | [email protected] | 4.2 | 0.16% | 2024-04-15 | 2025-06-30 |
| CVE-2024-23486 | Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials. | [email protected] | 9.8 | 0.48% | 2024-04-15 | 2025-06-30 |
| CVE-2023-49038 | Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root. | [email protected] | 7.2 | 1.47% | 2024-01-29 | 2025-06-02 |
| CVE-2023-51073 | An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to execute arbitrary code via the Firmware Update Script at /etc/init.d/update_notifications.sh. | [email protected] | 8.1 | 26.02% | 2024-01-11 | 2025-06-06 |
| CVE-2023-51363 | VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacent unauthenticated attacker who can access the product's web management page to obtain sensitive information. | [email protected] | 6.5 | 0.12% | 2023-12-26 | 2024-11-21 |
| CVE-2023-46711 | VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user. | [email protected] | 4.6 | 0.08% | 2023-12-26 | 2024-11-21 |
| CVE-2023-46681 | Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in VR-S1000 firmware Ver. 2.37 and earlier allows an authenticated attacker who can access to the product's command line interface to execute an arbitrary command. | [email protected] | 7.8 | 0.06% | 2023-12-26 | 2024-11-21 |
| CVE-2023-45741 | VR-S1000 firmware Ver. 2.37 and earlier allows an attacker with access to the product's web management page to execute arbitrary OS commands. | [email protected] | 6.8 | 0.08% | 2023-12-26 | 2024-11-21 |
| CVE-2023-39620 | An Issue in Buffalo America, Inc. TeraStation NAS TS5410R v.5.00 thru v.0.07 allows a remote attacker to obtain sensitive information via the guest account function. | [email protected] | 7.5 | 0.07% | 2023-09-08 | 2024-11-21 |
| CVE-2023-26588 | Use of hard-coded credentials vulnerability in Buffalo network devices allows an attacker to access the debug function of the product. The affected products and versions are as follows: BS-GSL2024 firmware Ver. 1.10-0.03 and earlier, BS-GSL2016P firmware Ver. 1.10-0.03 and earlier, BS-GSL2016 firmware Ver. 1.10-0.03 and earlier, BS-GS2008 firmware Ver. 1.0.10.01 and earlier, BS-GS2016 firmware Ver. 1.0.10.01 and earlier, BS-GS2024 firmware Ver. 1.0.10.01 and earlier, BS-GS2048 firmware Ver. 1.0. | [email protected] | 7.5 | 0.32% | 2023-04-11 | 2025-02-11 |
| CVE-2023-24544 | Improper access control vulnerability in Buffalo network devices allows a network-adjacent attacker to obtain specific files of the product. As a result, the product settings may be altered. The affected products and versions are as follows: BS-GSL2024 firmware Ver. 1.10-0.03 and earlier, BS-GSL2016P firmware Ver. 1.10-0.03 and earlier, BS-GSL2016 firmware Ver. 1.10-0.03 and earlier, BS-GS2008 firmware Ver. 1.0.10.01 and earlier, BS-GS2016 firmware Ver. 1.0.10.01 and earlier, BS-GS2024 firmware | [email protected] | 8.1 | 0.08% | 2023-04-11 | 2025-02-11 |