Total
3144 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-7140 | 2026-04-27 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument HTTP leads to os command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-7137 | 2026-04-27 | 10.0 HIGH | 9.8 CRITICAL | ||
| A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-38834 | 1 Tenda | 2 W30e, W30e Firmware | 2026-04-27 | N/A | 7.3 HIGH |
| Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2026-38835 | 1 Tenda | 2 W30e, W30e Firmware | 2026-04-27 | N/A | 9.8 CRITICAL |
| Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2026-41153 | 1 Jetbrains | 1 Junie | 2026-04-27 | N/A | 5.8 MEDIUM |
| In JetBrains Junie before 252.549.29 command execution was possible via malicious project file | |||||
| CVE-2026-31179 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31162 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31163 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31166 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31167 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31168 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31169 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2026-31173 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-27 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi. | |||||
| CVE-2025-29635 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2026-04-24 | N/A | 7.2 HIGH |
| A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution. | |||||
| CVE-2026-5831 | 2026-04-24 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading to version 2.1.9 will fix this issue. The patch is named c1550b445b9f24f38c4414e9a545f5f79f23a0fe. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | |||||
| CVE-2026-4840 | 2026-04-24 | 9.0 HIGH | 8.8 HIGH | ||
| A security flaw has been discovered in Netcore Power 15AX up to 3.0.0.6938. Affected by this issue is the function setTools of the file /bin/netis.cgi of the component Diagnostic Tool Interface. Performing a manipulation of the argument IpAddr results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4585 | 2026-04-24 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-4627 | 2026-04-24 | 8.3 HIGH | 7.2 HIGH | ||
| A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected is the function handler_update_system_time of the file libdeuteron_modules.so of the component NTP Service. The manipulation results in os command injection. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-41265 | 1 Flowiseai | 1 Flowise | 2026-04-24 | N/A | 9.8 CRITICAL |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0. | |||||
| CVE-2026-31159 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-24 | N/A | 6.5 MEDIUM |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi. | |||||