Total
3384 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26801 | 1 Lb-link | 8 Bl-ac1900, Bl-ac1900 Firmware, Bl-lte300 and 5 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg. | |||||
| CVE-2023-26800 | 1 Ruijienetworks | 6 Rg-ew1200, Rg-ew1200 Firmware, Rg-ew1200g Pro and 3 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| Ruijie Networks RG-EW1200 Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injetion vulnerability via the params.path parameter in the upgradeConfirm function. | |||||
| CVE-2023-26602 | 1 Asus | 1 Asmb8-ikvm Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution. | |||||
| CVE-2023-26493 | 1 Cocos | 1 Cocos-engine | 2026-06-17 | N/A | 8.1 HIGH |
| Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users. | |||||
| CVE-2023-26430 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2026-06-17 | N/A | 3.5 LOW |
| Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. This could be abused to access SIEVE extension that are not allowed by App Suite or to inject rules which would break per-user filter processing, requiring manual cleanup of such rules. We have added sanitization to all mail-filter APIs to avoid forwardning control characters to subsystems. No publicly available exploits are known. | |||||
| CVE-2023-26429 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2026-06-17 | N/A | 3.5 LOW |
| Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known. | |||||
| CVE-2023-26320 | 1 Mi | 2 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | |||||
| CVE-2023-26319 | 1 Mi | 2 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware | 2026-06-17 | N/A | 6.7 MEDIUM |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | |||||
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2026-06-17 | N/A | 7.0 HIGH |
| Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | |||||
| CVE-2023-26315 | 1 Mi | 2 Ax9000, Ax9000 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device. | |||||
| CVE-2023-26310 | 1 Oppo | 2 Coloros, Find X3 | 2026-06-17 | N/A | 7.4 HIGH |
| There is a command injection problem in the old version of the mobile phone backup app. | |||||
| CVE-2023-26298 | 1 Hp | 1 Hp Device Manager | 2026-06-17 | N/A | 8.8 HIGH |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-26297 | 1 Hp | 1 Hp Device Manager | 2026-06-17 | N/A | 8.8 HIGH |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-26296 | 1 Hp | 1 Hp Device Manager | 2026-06-17 | N/A | 8.8 HIGH |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-26295 | 1 Hp | 1 Hp Device Manager | 2026-06-17 | N/A | 9.8 CRITICAL |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-26294 | 1 Hp | 1 Hp Device Manager | 2026-06-17 | N/A | 7.8 HIGH |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-26155 | 1 Nrhirani | 1 Node-qpdf | 2026-06-17 | N/A | 7.3 HIGH |
| All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path. | |||||
| CVE-2023-26145 | 1 Derrickgilland | 1 Pydash | 2026-06-17 | N/A | 7.4 HIGH |
| This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. | |||||
| CVE-2023-26134 | 1 Git-commit-info Project | 1 Git-commit-info | 2026-06-17 | N/A | 9.8 CRITICAL |
| Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content. | |||||
| CVE-2023-26130 | 1 Cpp-httplib Project | 1 Cpp-httplib | 2026-06-17 | N/A | 7.5 HIGH |
| Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507). | |||||
