Total
4328 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-10007 | 2025-06-06 | N/A | 8.8 HIGH | ||
| File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users) | |||||
| CVE-2025-49008 | 2025-06-05 | N/A | N/A | ||
| Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system. | |||||
| CVE-2023-48802 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-06-05 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2020-27298 | 1 Philips | 5 Coronary Tools, Dynamic Coronary Roadmap, Interventional Workspot and 2 more | 2025-06-04 | 3.3 LOW | 6.5 MEDIUM |
| Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component. | |||||
| CVE-2025-41385 | 1 Uchida | 2 Wivia 5, Wivia 5 Firmware | 2025-06-04 | N/A | 7.2 HIGH |
| An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user. | |||||
| CVE-2024-33529 | 1 Ilias | 1 Ilias | 2025-06-04 | N/A | 7.2 HIGH |
| ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types. | |||||
| CVE-2024-46330 | 1 Vonets | 2 Vap11g-300, Vap11g-300 Firmware | 2025-06-04 | N/A | 7.4 HIGH |
| VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain a command injection vulnerability via the iptablesWebsFilterRun object. | |||||
| CVE-2025-5571 | 2025-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-39780 | 1 Asus | 2 Rt-ax55, Rt-ax55 Firmware | 2025-06-03 | N/A | 8.8 HIGH |
| On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348. | |||||
| CVE-2023-38317 | 1 Opennds | 1 Opennds | 2025-06-03 | N/A | 9.8 CRITICAL |
| An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the network interface name entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands. | |||||
| CVE-2024-23059 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg function. | |||||
| CVE-2024-22942 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg function. | |||||
| CVE-2024-21773 | 1 Tp-link | 8 Archer Ax3000, Archer Ax3000 Firmware, Archer Ax5400 and 5 more | 2025-06-03 | N/A | 8.8 HIGH |
| Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands on the product that has pre-specified target devices and blocked URLs in parental control settings. | |||||
| CVE-2023-48842 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi. | |||||
| CVE-2023-49038 | 1 Buffalo | 2 Ls210d, Ls210d Firmware | 2025-06-02 | N/A | 7.2 HIGH |
| Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root. | |||||
| CVE-2023-51217 | 1 Tenhot | 2 Tws-200, Tws-200 Firmware | 2025-06-02 | N/A | 8.8 HIGH |
| An issue discovered in TenghuTOS TWS-200 firmware version:V4.0-201809201424 allows a remote attacker to execute arbitrary code via crafted command on the ping page component. | |||||
| CVE-2024-24332 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function. | |||||
| CVE-2025-40582 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-05-30 | N/A | 7.8 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). Affected devices do not properly sanitize configuration parameters. This could allow a non-privileged local attacker to execute root commands on the device. | |||||
| CVE-2025-44880 | 1 Wavlink | 2 Wl-wn579a3, Wl-wn579a3 Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the component /cgi-bin/adm.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. | |||||
| CVE-2025-44882 | 1 Wavlink | 2 Wl-wn579a3, Wl-wn579a3 Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the component /cgi-bin/firewall.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. | |||||