Total
3350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-45497 | 1 Microsoft | 1 Copilot | 2026-06-08 | N/A | 7.7 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-42824 | 1 Microsoft | 1 Copilot | 2026-06-08 | N/A | 6.5 MEDIUM |
| Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-49196 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-08 | N/A | 7.2 HIGH |
| The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. | |||||
| CVE-2026-10873 | 2026-06-05 | 8.3 HIGH | 7.2 HIGH | ||
| A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. | |||||
| CVE-2026-11341 | 2026-06-05 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_412DA0 of the file /boafrm/formIMEISetup. This manipulation of the argument IMEI_value causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. | |||||
| CVE-2026-10878 | 1 Dlink | 2 Dwr-m920, Dwr-m920 Firmware | 2026-06-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. Affected is the function sub_41C8E8 of the file /boafrm/formSmsManage. Performing a manipulation of the argument action_value results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |||||
| CVE-2026-10872 | 2026-06-05 | 8.3 HIGH | 7.2 HIGH | ||
| A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato. | |||||
| CVE-2026-10871 | 2026-06-05 | 8.3 HIGH | 7.2 HIGH | ||
| A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato. | |||||
| CVE-2026-49199 | 1 Acer | 2 Predator Connect W6x, Predator Connect W6x Firmware | 2026-06-04 | N/A | 9.8 CRITICAL |
| Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. | |||||
| CVE-2026-8037 | 2026-06-04 | N/A | 9.6 CRITICAL | ||
| OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints | |||||
| CVE-2026-40135 | 1 Sap | 1 Netweaver Application Server Abap | 2026-06-03 | N/A | 6.5 MEDIUM |
| An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality. | |||||
| CVE-2026-10273 | 2026-06-03 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2026-10060 | 1 Trendnet | 2 Tew-432brp, Tew-432brp Firmware | 2026-06-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-10061 | 1 Trendnet | 2 Tew-432brp, Tew-432brp Firmware | 2026-06-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-5509 | 1 Tp-link | 4 Archer Be450, Archer Be450 Firmware, Archer Be7200 and 1 more | 2026-06-02 | N/A | 7.2 HIGH |
| An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser’s developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router’s operating environment. | |||||
| CVE-2026-23862 | 1 Dell | 1 Thinos | 2026-06-02 | N/A | 7.8 HIGH |
| Dell ThinOS 10 versions prior to ThinOS 2602_10.0573, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | |||||
| CVE-2026-5463 | 1 Danmcinerney | 1 Pymetasploit3 | 2026-06-02 | 7.5 HIGH | 8.6 HIGH |
| Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions. | |||||
| CVE-2022-26826 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2026-06-02 | 9.0 HIGH | 7.2 HIGH |
| Windows DNS Server Remote Code Execution Vulnerability | |||||
| CVE-2024-52011 | 2026-06-02 | N/A | N/A | ||
| launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9. | |||||
| CVE-2026-10550 | 2026-06-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in elunez eladmin up to 2.7. This vulnerability affects unknown code of the file App.java of the component Application Deployment Module. This manipulation of the argument uploadPath causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||