Total
2551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26063 | 1 Intelbras | 4 Rx 1500, Rx 1500 Firmware, Rx 3000 and 1 more | 2025-08-20 | N/A | 9.8 CRITICAL |
| An issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to execute arbitrary code via injecting a crafted payload into the ESSID name when creating a network. | |||||
| CVE-2025-50461 | 2025-08-20 | N/A | 6.5 MEDIUM | ||
| A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. The script calls torch.load() with weights_only=False on user-supplied .pt files, allowing attackers to execute arbitrary code if a maliciously crafted model file is loaded. An attacker can exploit this by convincing a victim to download and place a malicious model file in a local directory with a specific filename pattern. This vulnerability may lead to arbitrary code execution with the privileges of the user running the script. | |||||
| CVE-2025-55294 | 2025-08-20 | N/A | 9.8 CRITICAL | ||
| screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2. | |||||
| CVE-2025-52337 | 2025-08-20 | N/A | 6.5 MEDIUM | ||
| An authenticated arbitrary file upload vulnerability in the Content Explorer feature of LogicData eCommerce Framework v5.0.9.7000 allows attackers to execute arbitrary code via uploading a crafted file. | |||||
| CVE-2020-13117 | 1 Wavlink | 4 Wn575a4, Wn575a4 Firmware, Wn579x3 and 1 more | 2025-08-19 | 10.0 HIGH | 9.8 CRITICAL |
| Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request. | |||||
| CVE-2025-27423 | 2 Netapp, Vim | 2 Hci Compute Node, Vim | 2025-08-18 | N/A | 7.1 HIGH |
| Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164 | |||||
| CVE-2025-22941 | 1 Adtran | 2 411, 411 Firmware | 2025-08-18 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the web interface of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | |||||
| CVE-2025-22939 | 1 Adtran | 2 411, 411 Firmware | 2025-08-18 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | |||||
| CVE-2023-42128 | 1 Magnetforensics | 1 Axiom | 2025-08-18 | N/A | 8.0 HIGH |
| Magnet Forensics AXIOM Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Magnet Forensics AXIOM. User interaction is required to exploit this vulnerability in that the target must acquire data from a malicious mobile device. The specific flaw exists within the Android device image acquisition functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21255. | |||||
| CVE-2025-8956 | 1 Dlink | 2 Dir-818l, Dir-818l Firmware | 2025-08-18 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in D-Link DIR‑818L up to 1.05B01. This issue affects the function getenv of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9026 | 1 Dlink | 2 Dir-860l, Dir-860l Firmware | 2025-08-18 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-4267 | 1 Lollms | 1 Lollms-webui | 2025-08-15 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the 'open_file' function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection. | |||||
| CVE-2024-48288 | 1 Tp-link | 2 Tl-ipc42c, Tl-ipc42c Firmware | 2025-08-15 | N/A | 8.0 HIGH |
| TP-Link TL-IPC42C V4.0_20211227_1.0.16 is vulnerable to command injection due to the lack of malicious code verification on both the frontend and backend. | |||||
| CVE-2025-45317 | 1 Hortusfox | 1 Hortusfox | 2025-08-15 | N/A | 6.5 MEDIUM |
| A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive. | |||||
| CVE-2025-50515 | 2025-08-15 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in phome Empirebak 2010 in ebak2008/upload/class/config.php allowing attackers to execute arbitrary code when the config file was loaded. | |||||
| CVE-2025-53773 | 1 Microsoft | 1 Visual Studio 2022 | 2025-08-15 | N/A | 7.8 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. | |||||
| CVE-2024-53945 | 2025-08-15 | N/A | 8.8 HIGH | ||
| The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet). | |||||
| CVE-2025-6485 | 1 Totolink | 2 A3002r, A3002r Firmware | 2025-08-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in TOTOLINK A3002R 1.1.1-B20200824.0128. It has been classified as critical. This affects the function formWlSiteSurvey of the file /boafrm/formWlSiteSurvey. The manipulation of the argument wlanif leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-53787 | 1 Microsoft | 1 365 Copilot Chat | 2025-08-14 | N/A | 8.2 HIGH |
| Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | |||||
| CVE-2025-53774 | 1 Microsoft | 1 365 Copilot Chat | 2025-08-14 | N/A | 6.5 MEDIUM |
| Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | |||||