Total
3370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-39866 | 1 Lawnchair | 1 Lawnchair | 2026-06-17 | N/A | 8.8 HIGH |
| Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue. | |||||
| CVE-2026-39054 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution. | |||||
| CVE-2026-38945 | 2026-06-17 | N/A | 7.8 HIGH | ||
| Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command. | |||||
| CVE-2026-38835 | 1 Tenda | 2 W30e, W30e Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2026-38834 | 1 Tenda | 2 W30e, W30e Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2026-38707 | 1 Inhandnetworks | 8 Ir302, Ir302 Firmware, Ir305 and 5 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | |||||
| CVE-2026-38704 | 1 Inhandnetworks | 8 Ir302, Ir302 Firmware, Ir305 and 5 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | |||||
| CVE-2026-38703 | 1 Inhandnetworks | 8 Ir302, Ir302 Firmware, Ir305 and 5 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | |||||
| CVE-2026-38702 | 1 Inhandnetworks | 8 Ir302, Ir302 Firmware, Ir305 and 5 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | |||||
| CVE-2026-36983 | 1 Dlink | 2 Dcs-932l, Dcs-932l Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection. | |||||
| CVE-2026-36841 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function. | |||||
| CVE-2026-36741 | 2026-06-17 | N/A | 7.2 HIGH | ||
| U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands through crafted input fields. These commands are executed with elevated privileges, leading to potential full system compromise. | |||||
| CVE-2026-36734 | 2026-06-17 | N/A | 8.8 HIGH | ||
| EDIMAX BR-6428nS V3 1.15 is vulnerable to Command Injection. An authenticated attacker with access to the network can submit crafted input to the WLAN configuration functionality. Due to insufficient input validation, the attacker is able to execute arbitrary system commands on the device. | |||||
| CVE-2026-36540 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request. | |||||
| CVE-2026-36365 | 2026-06-17 | N/A | 7.8 HIGH | ||
| An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp | |||||
| CVE-2026-35682 | 1 Anviz | 2 Cx2 Lite, Cx2 Lite Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access. | |||||
| CVE-2026-35580 | 1 Nsa | 1 Emissary | 2026-06-17 | N/A | 9.1 CRITICAL |
| Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0. | |||||
| CVE-2026-35558 | 4 Amazon, Apple, Linux and 1 more | 4 Athena Odbc, Macos, Linux Kernel and 1 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by the driver during user-initiated authentication. To remediate this issue, users should upgrade to version 2.1.0.0. | |||||
| CVE-2026-35428 | 1 Microsoft | 1 Azure Cloud Shell | 2026-06-17 | N/A | 9.6 CRITICAL |
| Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2026-35070 | 1 Dell | 1 Smartfabric Storage Software | 2026-06-17 | N/A | 6.4 MEDIUM |
| Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | |||||