Embedthis Goahead
9 CVEs affecting Embedthis Goahead. Latest disclosed: 2025-07-25. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-5674 | Critical | 9.8 | 2017-03-13 | A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malforme… |
CVE-2017-5675 | High | 8.8 | 2017-03-13 | A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera… |
CVE-2017-14149 | High | 7.5 | 2017-09-05 | GoAhead 3.4.0 through 3.6.5 has a NULL Pointer Dereference in the websDecodeUrl function in http.c, leading to a crash for a "POST / HTTP/1.1" request. |
CVE-2023-53155 | High | 7.2 | 2025-07-25 | goform/formTest in EmbedThis GoAhead 2.5 allows HTML injection via the name parameter. |
CVE-2024-3187 | Medium | 5.9 | 2024-10-17 | This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not… |
CVE-2024-3184 | Medium | 5.9 | 2024-10-17 | Multiple CWE-476 NULL Pointer Dereference vulnerabilities were found in GoAhead Web Server up to version 6.0.0 when compiled with the ME_GOAHEAD_REPLACE_MALLOC… |
CVE-2024-3186 | Medium | 5.3 | 2024-10-17 | CWE-476 NULL Pointer Dereference vulnerability in the evalExpr() function of GoAhead Web Server (version <= 6.0.0) when compiled with the ME_GOAHEAD_JAVASCRIPT… |
CVE-2021-43298 | | 2022-01-25 | The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that a… | |
CVE-2014-9707 | | 2015-03-31 | EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traver… |