Total
2210 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-43714 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
| The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers. | |||||
| CVE-2024-55063 | 2025-05-21 | N/A | 8.8 HIGH | ||
| Multiple Code Injection vulnerabilities in EasyVirt DC NetScope <= 8.7.0 allows remote authenticated attackers to execute arbitrary code via the (1) lang parameter to /international/keyboard/options; the (2) keyboard_layout or (3) keyboard_variant parameter to /international/settings/keyboard; the (4) timezone parameter to /international/settings/timezone. | |||||
| CVE-2025-20258 | 2025-05-21 | N/A | 5.4 MEDIUM | ||
| A vulnerability in the self-service portal of Cisco Duo could allow an unauthenticated, remote attacker to inject arbitrary commands into emails that are sent by the service. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands into a portion of an email that is sent by the service. A successful exploit could allow the attacker to send emails that contain malicious content to unsuspecting users. | |||||
| CVE-2025-4008 | 2025-05-21 | N/A | N/A | ||
| The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. | |||||
| CVE-2025-4999 | 2025-05-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000 and classified as critical. Affected by this issue is the function sub_4153FC of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument supplicant_rnd_id_en leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-44084 | 2025-05-21 | N/A | 9.8 CRITICAL | ||
| D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system. | |||||
| CVE-2025-5030 | 2025-05-21 | 5.1 MEDIUM | 5.0 MEDIUM | ||
| A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5000 | 2025-05-21 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1.0.17.000000. It has been classified as critical. This affects the function control_panel_sw of the file /cgi-bin/sysconf.cgi of the component HTTP POST Request Handler. The manipulation of the argument filename leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-52022 | 1 Netgear | 8 R6400v2, R6400v2 Firmware, R7000p and 5 more | 2025-05-21 | N/A | 8.0 HIGH |
| Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component wlg_adv.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. | |||||
| CVE-2025-44848 | 1 Totolink | 2 Ca600-poe, Ca600-poe Firmware | 2025-05-21 | N/A | 6.5 MEDIUM |
| TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44860 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-05-21 | N/A | 6.5 MEDIUM |
| TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44861 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-05-21 | N/A | 6.3 MEDIUM |
| TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44862 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-05-21 | N/A | 6.3 MEDIUM |
| TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44863 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-05-21 | N/A | 6.5 MEDIUM |
| TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2024-21117 | 1 Oracle | 1 Outside In Technology | 2025-05-21 | N/A | 5.3 MEDIUM |
| Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Core). Supported versions that are affected are 8.5.6 and 8.5.7. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). | |||||
| CVE-2025-2717 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2025-05-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1800 | 1 Dlink | 2 Dar-7000, Dar-7000 Firmware | 2025-05-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in D-Link DAR-7000 3.2 and classified as critical. This vulnerability affects the function get_ip_addr_details of the file /view/vpn/sxh_vpn/sxh_vpnlic.php of the component HTTP POST Request Handler. The manipulation of the argument ethname leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-33112 | 1 Dlink | 2 Dir-845l, Dir-845l Firmware | 2025-05-21 | N/A | 7.5 HIGH |
| D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command injection via the hnap_main()func. | |||||
| CVE-2024-33113 | 1 Dlink | 2 Dir-845l, Dir-845l Firmware | 2025-05-21 | N/A | 5.3 MEDIUM |
| D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php. | |||||
| CVE-2024-33344 | 1 Dlink | 2 Dir-822\+, Dir-822\+ Firmware | 2025-05-21 | N/A | 9.8 CRITICAL |
| D-Link DIR-822+ V1.0.5 was found to contain a command injection in ftext function of upload_firmware.cgi, which allows remote attackers to execute arbitrary commands via shell. | |||||