Total
4638 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36245 | 2025-10-02 | N/A | 8.8 HIGH | ||
| IBM InfoSphere 11.7.0.0 through 11.7.1.6 Information Server could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input. | |||||
| CVE-2025-9762 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-11148 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command. | |||||
| CVE-2025-30247 | 2025-10-02 | N/A | N/A | ||
| An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST. | |||||
| CVE-2025-10659 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account. | |||||
| CVE-2025-27262 | 1 Ericsson | 2 Indoor Connect 8855, Indoor Connect 8855 Firmware | 2025-10-02 | N/A | 7.8 HIGH |
| Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. | |||||
| CVE-2025-43020 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 6.8 MEDIUM |
| A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update. | |||||
| CVE-2025-9588 | 2 Ironmountain, Linux | 2 Envision, Linux Kernel | 2025-10-02 | N/A | 10.0 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563. | |||||
| CVE-2024-52058 | 1 Rti | 1 Connext Professional | 2025-10-02 | N/A | 7.8 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext Professional (System Designer) allows OS Command Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.19. | |||||
| CVE-2024-39935 | 1 Jc21 | 1 Nginx Proxy Manager | 2025-10-02 | N/A | 8.8 HIGH |
| jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5. | |||||
| CVE-2025-9727 | 1 Dlink | 2 Dir-816l, Dir-816l Firmware | 2025-10-01 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in D-Link DIR-816L 206b01. Affected by this issue is the function soapcgi_main of the file /soap.cgi. This manipulation of the argument service causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-3816 | 1 Westboy | 1 Cicadascms | 2025-10-01 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-44759 | 1 Nuserp | 1 Nus-m9 Erp | 2025-10-01 | N/A | 7.5 HIGH |
| An arbitrary file download vulnerability in the component /Doc/DownloadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. | |||||
| CVE-2025-23049 | 2025-10-01 | N/A | N/A | ||
| Meridian Technique Materialise OrthoView through 7.5.1 allows OS Command Injection when servlet sharing is enabled. | |||||
| CVE-2025-34087 | 1 Pi-hole | 1 Pi-hole | 2025-10-01 | N/A | 8.8 HIGH |
| An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions. | |||||
| CVE-2024-1297 | 1 Loomio | 1 Loomio | 2025-09-30 | N/A | 10.0 CRITICAL |
| Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. | |||||
| CVE-2025-35027 | 2025-09-30 | N/A | 7.3 HIGH | ||
| Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. By setting a malicious string when configuring the on-board WiFi via a BLE module of an affected robot, then triggering a restart of the WiFi service, an attacker can ultimately trigger commands to be run as root via the wpa_supplicant_restart.sh shell script. All Unitree models use firmware derived from the same codebase (MIT Cheetah), and the two major forks are the G1 (humanoid) and Go2 (quadruped) branches. | |||||
| CVE-2024-9054 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2025-09-29 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. | |||||
| CVE-2025-11141 | 2025-09-29 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11138 | 2025-09-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. | |||||