Total
4659 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-28039 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter. | |||||
| CVE-2022-44844 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the pass parameter in the setting/setOpenVpnCfg function. | |||||
| CVE-2022-44843 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the port parameter in the setting/setOpenVpnClientCfg function. | |||||
| CVE-2022-45461 | 3 Linux, Opengroup, Veritas | 3 Linux Kernel, Unix, Netbackup | 2025-04-29 | N/A | 7.5 HIGH |
| The Java Admin Console in Veritas NetBackup through 10.1 and related Veritas products on Linux and UNIX allows authenticated non-root users (that have been explicitly added to the auth.conf file) to execute arbitrary commands as root. | |||||
| CVE-2022-40954 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-spark | 2025-04-29 | N/A | 5.5 MEDIUM |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed). | |||||
| CVE-2025-46272 | 2025-04-29 | N/A | 9.1 CRITICAL | ||
| WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system. | |||||
| CVE-2025-46271 | 2025-04-29 | N/A | 9.1 CRITICAL | ||
| UNI-NMS-Lite is vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data. | |||||
| CVE-2025-43858 | 2025-04-29 | N/A | 9.2 CRITICAL | ||
| YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2. | |||||
| CVE-2022-40189 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-pig | 2025-04-29 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. | |||||
| CVE-2022-38649 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-pinot | 2025-04-29 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. | |||||
| CVE-2022-44201 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-04-29 | N/A | 9.8 CRITICAL |
| D-Link DIR823G 1.02B05 is vulnerable to Commad Injection. | |||||
| CVE-2022-45939 | 3 Debian, Fedoraproject, Gnu | 3 Debian Linux, Fedora, Emacs | 2025-04-28 | N/A | 7.8 HIGH |
| GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. | |||||
| CVE-2025-43920 | 1 Gnu | 1 Mailman | 2025-04-28 | N/A | 5.4 MEDIUM |
| GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used. | |||||
| CVE-2022-44808 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| A command injection vulnerability has been found on D-Link DIR-823G devices with firmware version 1.02B03 that allows an attacker to execute arbitrary operating system commands through well-designed /HNAP1 requests. Before the HNAP API function can process the request, the system function executes an untrusted command that triggers the vulnerability. | |||||
| CVE-2022-44252 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the setUploadSetting function. | |||||
| CVE-2022-44251 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function. | |||||
| CVE-2022-44250 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the hostName parameter in the setOpModeCfg function. | |||||
| CVE-2022-44249 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function. | |||||
| CVE-2025-29043 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x417234 | |||||
| CVE-2025-29042 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2025-04-25 | N/A | 9.8 CRITICAL |
| An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the macaddr key value to the function 0x42232c | |||||