Total
4676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6748 | 1 Cisco | 2 Web Security Appliance, Web Security Virtual Appliance | 2026-05-13 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI parser of the Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid operator-level or administrator-level credentials. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCvd88855. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-234. | |||||
| CVE-2017-2140 | 1 Gaku | 1 Tablacus Explorer | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| Tablacus Explorer 17.3.30 and earlier allows arbitrary scripts to be executed in the context of the application due to specially crafted directory. | |||||
| CVE-2017-6971 | 2 Alienvault, Nfsen | 3 Ossim, Unified Security Management, Nfsen | 2026-05-13 | 9.0 HIGH | 8.8 HIGH |
| AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862. | |||||
| CVE-2017-17532 | 1 Kiwi Project | 1 Kiwi | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17523 | 1 Lilypond | 1 Lilypond | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | |||||
| CVE-2017-17529 | 1 Abisource | 1 Abiword | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2015-7544 | 1 Redhat | 1 Enterprise Virtualization Manager | 2026-05-13 | 9.0 HIGH | 9.1 CRITICAL |
| redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary commands on any host in the RHEV environment. | |||||
| CVE-2017-16680 | 1 Sap | 1 Hana Extended Application Services | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. Hence the interpretation of audit log files could be hindered or misdirected. 2) User Account and Authentication writes audit logs into syslog and additionally writes the same audit entries into a log file. Entries in the log file miss escaping. Hence the interpretation of audit log files could be hindered or misdirected, while the entries in syslog are correct. | |||||
| CVE-2016-1155 | 1 Google | 1 Android | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies. | |||||
| CVE-2015-2180 | 1 Roundcube | 1 Webmail | 2026-05-13 | 9.0 HIGH | 8.8 HIGH |
| The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. | |||||
| CVE-2015-5227 | 1 Inboundnow | 1 Wordpress Landing Pages | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter. | |||||
| CVE-2017-17526 | 1 Giac Project | 1 Giac | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-16766 | 1 Synology | 1 Diskstation Manager | 2026-05-13 | 6.4 MEDIUM | 6.5 MEDIUM |
| An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option. | |||||
| CVE-2017-7459 | 1 Ntop | 1 Ntopng | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| ntopng before 3.0 allows HTTP Response Splitting. | |||||
| CVE-2017-17531 | 1 Gnu | 1 Global | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-1000217 | 1 Opencast | 1 Opencast | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. | |||||
| CVE-2017-17527 | 2 Debian, Pasdoc Project | 2 Debian Linux, Pasdoc | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer has indicated that the code referencing the BROWSER environment variable is never used | |||||
| CVE-2016-5013 | 1 Moodle | 1 Moodle | 2026-05-13 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | |||||
| CVE-2017-17513 | 1 Tug | 1 Tex Live | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua. | |||||
| CVE-2017-17522 | 1 Python | 1 Python | 2026-05-13 | 6.8 MEDIUM | 8.8 HIGH |
| Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting | |||||