Vulnerabilities (CVE)

Filtered by CWE-77
Total 3383 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-26151 1 Citrix 1 Xenmobile Server 2026-06-17 9.0 HIGH 7.2 HIGH
Citrix XenMobile Server 10.12 through RP11, 10.13 through RP7, and 10.14 through RP4 allows Command Injection.
CVE-2022-25962 1 Vagrant.js Project 1 Vagrant.js 2026-06-17 N/A 7.4 HIGH
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
CVE-2022-25923 1 Exec-local-bin Project 1 Exec-local-bin 2026-06-17 N/A 7.4 HIGH
Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.
CVE-2022-25916 1 Mt7688-wiscan Project 1 Mt7688-wiscan 2026-06-17 N/A 7.4 HIGH
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
CVE-2022-25908 1 Create-choo-electron Project 1 Create-choo-electron 2026-06-17 N/A 7.4 HIGH
All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
CVE-2022-25855 1 Create-choo-app3 Project 1 Create-choo-app3 2026-06-17 N/A 7.4 HIGH
All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
CVE-2022-25834 1 Percona 1 Xtrabackup 2026-06-17 N/A 7.8 HIGH
In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands.
CVE-2022-25619 1 Profelis 1 Sambabox 2026-06-17 4.6 MEDIUM 3.8 LOW
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.
CVE-2022-25350 1 Helecloud 1 Puppet-facter 2026-06-17 N/A 7.4 HIGH
All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.
CVE-2022-25137 1 Totolink 4 T10, T10 Firmware, T6 and 1 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25136 1 Totolink 4 T10, T10 Firmware, T6 and 1 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25135 1 Totolink 2 T6, T6 Firmware 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25134 1 Totolink 2 T6, T6 Firmware 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25133 1 Totolink 2 T6, T6 Firmware 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25132 1 Totolink 4 T10, T10 Firmware, T6 and 1 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25131 1 Totolink 4 T10, T10 Firmware, T6 and 1 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-25130 1 Totolink 4 T10, T10 Firmware, T6 and 1 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
CVE-2022-24630 1 Audiocodes 1 Device Manager Express 2026-06-17 N/A 7.2 HIGH
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an ssh_command field that is executed.
CVE-2022-24394 1 Fidelissecurity 2 Deception, Network 2026-06-17 9.0 HIGH 8.8 HIGH
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.
CVE-2022-24393 1 Fidelissecurity 2 Deception, Network 2026-06-17 9.0 HIGH 8.8 HIGH
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.