Total
2228 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25675 | 1 Tenda | 2 Ac10, Ac10 Firmware | 2025-03-17 | N/A | 9.8 CRITICAL |
| Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd_buf variable, which is directly used in the doSystemCmd function, causing an arbitrary command execution. | |||||
| CVE-2024-12992 | 2025-03-17 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to 777.6 . | |||||
| CVE-2024-12971 | 2025-03-17 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6 | |||||
| CVE-2025-2367 | 2025-03-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in Oiwtech OIW-2431APGN-HP 2.5.3-B20131128 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formScript of the component Personal Script Submenu. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-55956 | 1 Cleo | 3 Harmony, Lexicom, Vltrader | 2025-03-14 | N/A | 9.8 CRITICAL |
| In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. | |||||
| CVE-2016-20017 | 1 Dlink | 2 Dsl-2750b, Dsl-2750b Firmware | 2025-03-14 | N/A | 9.8 CRITICAL |
| D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022. | |||||
| CVE-2023-24184 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-03-14 | N/A | 9.8 CRITICAL |
| TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability. | |||||
| CVE-2010-5330 | 1 Ui | 1 Airos | 2025-03-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected. | |||||
| CVE-2023-33300 | 2025-03-14 | N/A | 5.3 MEDIUM | ||
| A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via specifically crafted request in inter-server communication port. | |||||
| CVE-2024-46662 | 2025-03-14 | N/A | 8.8 HIGH | ||
| A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to escalation of privilege via specifically crafted packets | |||||
| CVE-2024-9264 | 1 Grafana | 1 Grafana | 2025-03-14 | N/A | 9.9 CRITICAL |
| The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | |||||
| CVE-2024-30637 | 1 Tenda | 2 F1202, F1202 Firmware | 2025-03-13 | N/A | 8.8 HIGH |
| Tenda F1202 v1.2.0.20(408) has a command injection vulnerablility in the formWriteFacMac function in the mac parameter. | |||||
| CVE-2024-28545 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-03-13 | N/A | 9.8 CRITICAL |
| Tenda AC18 V15.03.05.05 contains a command injection vulnerablility in the deviceName parameter of formsetUsbUnload function. | |||||
| CVE-2024-35522 | 1 Netgear | 2 Ex3700, Ex3700 Firmware | 2025-03-13 | N/A | 8.4 HIGH |
| Netgear EX3700 ' AC750 WiFi Range Extender Essentials Edition before 1.0.0.98 contains an authenticated command injection in operating_mode.cgi via the ap_mode parameter with ap_24g_manual set to 1 and ap_24g_manual_sec set to NotNone. | |||||
| CVE-2024-35517 | 1 Netgear | 2 Xr1000, Xr1000 Firmware | 2025-03-13 | N/A | 8.4 HIGH |
| Netgear XR1000 v1.0.0.64 is vulnerable to command injection in usb_remote_smb_conf.cgi via the share_name parameter. | |||||
| CVE-2023-1671 | 1 Sophos | 1 Web Appliance | 2025-03-13 | N/A | 9.8 CRITICAL |
| A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code. | |||||
| CVE-2024-48288 | 2025-03-13 | N/A | 8.0 HIGH | ||
| TP-Link TL-IPC42C V4.0_20211227_1.0.16 is vulnerable to command injection due to the lack of malicious code verification on both the frontend and backend. | |||||
| CVE-2024-42947 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2025-03-13 | N/A | 9.8 CRITICAL |
| An issue in the handler function in /goform/telnet of Tenda FH1201 v1.2.0.14 (408) allows attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2024-8402 | 2025-03-13 | N/A | 3.7 LOW | ||
| An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to introduce malicious code. | |||||
| CVE-2018-19949 | 1 Qnap | 1 Qts | 2025-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. | |||||