The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.

In Linux before version 2.0.36, remote attackers can spoof a TCP connection and pass data to the application layer before fully establishing the connection.

A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.

In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.

Buffer overflow in gnuplot in Linux version 3.5 allows local users to obtain root access.

Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.

A buffer overflow in lsof allows local users to obtain root privilege.

Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution.

A bug in Cyrix CPUs on Linux allows local users to perform a denial of service.

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.

A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.

Denial of service in Linux 2.2.0 running the ldd command on a core file.

The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.

In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.

The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.