Total
4234 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54025 | 2025-04-08 | N/A | 6.7 MEDIUM | ||
| An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator CLI before version 2.4.6 allows a privileged attacker to execute unauthorized code or commands via crafted CLI requests. | |||||
| CVE-2024-41788 | 2025-04-08 | N/A | 9.1 CRITICAL | ||
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges. | |||||
| CVE-2025-3363 | 2025-04-08 | N/A | 9.8 CRITICAL | ||
| The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2025-27078 | 2025-04-08 | N/A | 6.5 MEDIUM | ||
| A vulnerability in a system binary of AOS-8 Instant and AOS-10 AP could allow an authenticated remote attacker to inject commands into the underlying operating system while using the CLI. Successful exploitation could lead to complete system compromise. | |||||
| CVE-2024-41789 | 2025-04-08 | N/A | 9.1 CRITICAL | ||
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the language parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges. | |||||
| CVE-2024-30645 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2025-04-08 | N/A | 8.0 HIGH |
| Tenda AC15V1.0 V15.03.20_multi has a command injection vulnerability via the deviceName parameter. | |||||
| CVE-2024-27521 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-04-08 | N/A | 8.0 HIGH |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user "root"). | |||||
| CVE-2024-57023 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-04-07 | N/A | 6.8 MEDIUM |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setWiFiScheduleCfg. | |||||
| CVE-2024-57024 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-04-07 | N/A | 6.8 MEDIUM |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in setWiFiScheduleCfg. | |||||
| CVE-2024-57025 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-04-07 | N/A | 6.8 MEDIUM |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setWiFiScheduleCfg. | |||||
| CVE-2021-47667 | 2025-04-07 | N/A | 10.0 CRITICAL | ||
| An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request. | |||||
| CVE-2025-25579 | 1 Totolink | 2 A3002r, A3002r Firmware | 2025-04-07 | N/A | 9.8 CRITICAL |
| TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr. | |||||
| CVE-2025-30370 | 2025-04-07 | N/A | 7.4 HIGH | ||
| jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1. | |||||
| CVE-2025-3189 | 2025-04-07 | N/A | N/A | ||
| Stored Cross-Site Scripting (XSS) in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it. | |||||
| CVE-2023-43892 | 1 Netis-systems | 2 N3m, N3m Firmware | 2025-04-04 | N/A | 9.8 CRITICAL |
| Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the Hostname parameter within the WAN settings. This vulnerability is exploited via a crafted payload. | |||||
| CVE-2023-22279 | 1 Ate-mahoroba | 6 Maho-pbx Netdevancer, Maho-pbx Netdevancer Firmware, Maho-pbx Netdevancer Mobilegate and 3 more | 2025-04-04 | N/A | 9.8 CRITICAL |
| MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command. | |||||
| CVE-2023-22304 | 1 Pixela | 2 Pix-rt100, Pix-rt100 Firmware | 2025-04-04 | N/A | 8.0 HIGH |
| OS command injection vulnerability in PIX-RT100 versions RT100_TEQ_2.1.1_EQ101 and RT100_TEQ_2.1.2_EQ101 allows a network-adjacent attacker who can access product settings to execute an arbitrary OS command. | |||||
| CVE-2023-22280 | 1 Ate-mahoroba | 6 Maho-pbx Netdevancer, Maho-pbx Netdevancer Firmware, Maho-pbx Netdevancer Mobilegate and 3 more | 2025-04-04 | N/A | 7.2 HIGH |
| MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. | |||||
| CVE-2022-47853 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-04-04 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service. An attacker can obtain a stable root shell through a specially constructed payload. | |||||
| CVE-2022-21191 | 1 Global-modules-path Project | 1 Global-modules-path | 2025-04-04 | N/A | 7.4 HIGH |
| Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function. | |||||