Vulnerabilities (CVE)

Filtered by CWE-78
Total 4341 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-45005 1 Ip-com 2 Ew9, Ew9 Firmware 2025-04-22 N/A 9.8 CRITICAL
IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the cmd_get_ping_output function.
CVE-2025-30286 1 Adobe 1 Coldfusion 2025-04-21 N/A 8.4 HIGH
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
CVE-2022-46634 1 Totolink 2 A7100ru, A7100ru Firmware 2025-04-21 N/A 9.8 CRITICAL
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.
CVE-2022-46631 1 Totolink 2 A7100ru, A7100ru Firmware 2025-04-21 N/A 9.8 CRITICAL
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.
CVE-2025-3816 2025-04-21 5.8 MEDIUM 4.7 MEDIUM
A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2017-6600 1 Cisco 2 Firepower Extensible Operating System, Unified Computing System 2025-04-20 7.2 HIGH 7.8 HIGH
A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61351 CSCvb61637. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1645) 2.0(1.82) 1.1(4.136.
CVE-2017-2183 1 Kddi 2 Home Spot Cube 2, Home Spot Cube 2 Firmware 2025-04-20 5.2 MEDIUM 8.0 HIGH
HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via Clock Settings.
CVE-2017-8116 1 Teltonika 8 Rut900, Rut900 Firmware, Rut905 and 5 more 2025-04-20 10.0 HIGH 9.8 CRITICAL
The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.
CVE-2017-14119 1 Eyesofnetwork 1 Eyesofnetwork 2025-04-20 6.5 MEDIUM 8.8 HIGH
In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\snmpwalk.php does not properly restrict popen calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in a parameter.
CVE-2017-10811 1 Buffalo 2 Wcr-1166ds, Wcr-1166ds Firmware 2025-04-20 7.7 HIGH 6.8 MEDIUM
Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an attacker to execute arbitrary OS commands via unspecified vectors.
CVE-2017-6087 1 Eonweb Project 1 Eonweb 2025-04-20 6.5 MEDIUM 8.8 HIGH
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4) module parameter to module/index.php.
CVE-2014-8389 1 Airlive 10 Bu-2015, Bu-2015 Firmware, Bu-3026 and 7 more 2025-04-20 10.0 HIGH 9.8 CRITICAL
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.
CVE-2017-2844 1 Foscam 2 C1 Indoor Hd Camera, C1 Indoor Hd Camera Firmware 2025-04-20 6.5 MEDIUM 8.8 HIGH
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
CVE-2017-12305 1 Cisco 1 Ip Phone 8800 Series Firmware 2025-04-20 7.2 HIGH 6.7 MEDIUM
A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting additional command input to the affected parameter in the debug shell. Cisco Bug IDs: CSCvf80034.
CVE-2017-11588 1 Cisco 2 Residential Gateway, Residential Gateway Firmware 2025-04-20 7.5 HIGH 9.8 CRITICAL
On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is remote command execution via shell metacharacters in the pingAddr parameter to the waitPingqry.cgi URI. The command output is visible at /PingMsg.cmd.
CVE-2017-9328 1 Terra-master 1 Terramaster Operating System 2025-04-20 10.0 HIGH 9.8 CRITICAL
Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root.
CVE-2017-7413 1 Horde 1 Groupware 2025-04-20 9.0 HIGH 8.8 HIGH
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
CVE-2017-14100 1 Digium 2 Asterisk, Certified Asterisk 2025-04-20 7.5 HIGH 9.8 CRITICAL
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
CVE-2017-3761 1 Lenovo 1 Service Framework 2025-04-20 10.0 HIGH 9.8 CRITICAL
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-10902 1 Princeton 2 Ptw-wms1, Ptw-wms1 Firmware 2025-04-20 10.0 HIGH 9.8 CRITICAL
PTW-WMS1 firmware version 2.000.012 allows remote attackers to execute arbitrary OS commands via unspecified vectors.