Vulnerabilities (CVE)

Filtered by CWE-77
Total 3390 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49237 1 Trendnet 2 Tv-ip1314pi, Tv-ip1314pi Firmware 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on TRENDnet TV-IP1314PI 5.5.3 200714 devices. Command injection can occur because the system function is used by davinci to unpack language packs without strict filtering of URL strings.
CVE-2023-49226 1 Peplink 2 Balance Two, Balance Two Firmware 2026-06-17 N/A 7.2 HIGH
An issue was discovered in Peplink Balance Two before 8.4.0. Command injection in the traceroute feature of the administration console allows users with admin privileges to execute arbitrary commands as root.
CVE-2023-49213 1 Ironmansoftware 1 Powershell Universal 2026-06-17 N/A 8.8 HIGH
The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary commands via crafted HTTP requests if a param block is used, due to invalid sanitization of input strings. The fixed versions are 3.10.2, 4.1.10, and 4.2.1.
CVE-2023-49210 1 Node-openssl Project 1 Node-openssl 2026-06-17 N/A 9.8 CRITICAL
The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-49134 1 Tp-link 4 Eap115, Eap115 Firmware, Eap225 and 1 more 2026-06-17 N/A 8.1 HIGH
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP115(V4) 5.0.4 Build 20220216 of the N300 Wireless Gigabit Access Point.
CVE-2023-49133 1 Tp-link 4 Eap115, Eap115 Firmware, Eap225 and 1 more 2026-06-17 N/A 8.1 HIGH
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP225(V3) 5.1.0 Build 20220926 of the AC1350 Wireless MU-MIMO Gigabit Access Point.
CVE-2023-49040 1 Tenda 2 Ax1803, Ax1803 Firmware 2026-06-17 N/A 9.8 CRITICAL
An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the adslPwd parameter in the form_fast_setting_internet_set function.
CVE-2023-48842 1 Dlink 2 Go-rt-ac750, Go-rt-ac750 Firmware 2026-06-17 N/A 9.8 CRITICAL
D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.
CVE-2023-48801 1 Totolink 2 X6000r, X6000r Firmware 2026-06-17 N/A 9.8 CRITICAL
In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_415534 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability.
CVE-2023-48791 1 Fortinet 1 Fortiportal 2026-06-17 N/A 8.8 HIGH
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.
CVE-2023-48702 1 Jellyfin 1 Jellyfin 2026-06-17 N/A 7.2 HIGH
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.
CVE-2023-47576 1 Relyum 4 Rely-pcie, Rely-pcie Firmware, Rely-rec and 1 more 2026-06-17 N/A 8.8 HIGH
An issue was discovered in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices, allowing authenticated command injection through the web interface.
CVE-2023-47563 1 Qnap 1 Video Station 2026-06-17 N/A 7.4 HIGH
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
CVE-2023-47562 1 Qnap 1 Photo Station 2026-06-17 N/A 7.4 HIGH
An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later
CVE-2023-47560 1 Qnap 1 Qumagie 2026-06-17 N/A 7.4 HIGH
An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later
CVE-2023-47356 2026-06-17 N/A 8.8 HIGH
Mingyu Security Gateway before v3.0-5.3p was discovered to contain a remote command execution (RCE) vulnerability via the log_type parameter at /log/fw_security.mds.
CVE-2023-47268 1 Prusa3d 1 Prusaslicer 2026-06-17 N/A 5.3 MEDIUM
In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
CVE-2023-47253 1 Qualitor 1 Qualitor 2026-06-17 N/A 9.8 CRITICAL
Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter.
CVE-2023-47218 1 Qnap 3 Qts, Quts Hero, Qutscloud 2026-06-17 N/A 5.8 MEDIUM
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
CVE-2023-47104 2 Linux, Vareille 2 Linux Kernel, Tinyfiledialogs 2026-06-17 N/A 9.8 CRITICAL
tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters.