Vulnerabilities (CVE)

Filtered by CWE-77
Total 3384 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-26129 1 Bwm-ng Project 1 Bwm-ng 2026-06-17 N/A 8.4 HIGH
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
CVE-2023-26128 1 Keep-module-latest Project 1 Keep-module-latest 2026-06-17 N/A 8.4 HIGH
All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
CVE-2023-26127 1 N158 Project 1 N158 2026-06-17 N/A 7.8 HIGH
All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
CVE-2023-26125 1 Gin-gonic 1 Gin 2026-06-17 N/A 5.6 MEDIUM
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
CVE-2023-25911 1 Danfoss 2 Ak-em100, Ak-em100 Firmware 2026-06-17 N/A 9.9 CRITICAL
The Danfoss AK-EM100 web applications allow for an authenticated user to perform OS command injection through the web application parameters.
CVE-2023-25805 1 Versionn Project 1 Versionn 2026-06-17 N/A 9.8 CRITICAL
versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.
CVE-2023-25649 1 Zte 2 Mf286r, Mf286r Firmware 2026-06-17 N/A 6.8 MEDIUM
There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands.
CVE-2023-25643 1 Zte 4 Mc801a, Mc801a1, Mc801a1 Firmware and 1 more 2026-06-17 N/A 8.4 HIGH
There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.
CVE-2023-24612 1 Pdfbook Project 1 Pdfbook 2026-06-17 N/A 9.8 CRITICAL
The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.
CVE-2023-24583 1 Milesight 2 Ur32l, Ur32l Firmware 2026-06-17 N/A 8.8 HIGH
Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet.
CVE-2023-24540 1 Golang 1 Go 2026-06-17 N/A 9.8 CRITICAL
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24467 1 Microfocus 1 Imanager 2026-06-17 N/A 8.8 HIGH
Possible Command Injection in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0000.
CVE-2023-24331 1 Dlink 2 Dir-816, Dir-816 Firmware 2026-06-17 N/A 9.8 CRITICAL
Command Injection vulnerability in D-Link Dir 816 with firmware version DIR-816_A2_v1.10CNB04 allows attackers to run arbitrary commands via the urlAdd parameter.
CVE-2023-24330 1 Dlink 2 Dir-882, Dir-882 Firmware 2026-06-17 N/A 8.8 HIGH
Command Injection vulnerability in D-Link Dir 882 with firmware version DIR882A1_FW130B06 allows attackers to run arbitrary commands via crafted POST request to /HNAP1/.
CVE-2023-24276 1 Totolink 2 A7100ru, A7100ru Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the country parameter at setting/delStaticDhcpRules.
CVE-2023-24238 1 Totolink 2 A7100ru, A7100ru Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.
CVE-2023-24236 1 Totolink 2 A7100ru, A7100ru Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules.
CVE-2023-24229 1 Draytek 2 Vigor2960, Vigor2960 Firmware 2026-06-17 N/A 7.8 HIGH
DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-24184 1 Totolink 2 A7100ru, A7100ru Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability.
CVE-2023-24161 1 Totolink 2 Ca300-poe, Ca300-poe Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function.