Total
3358 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-44842 | 1 Totolink | 2 Ca600-poe, Ca600-poe Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44841 | 1 Totolink | 2 Ca600-poe, Ca600-poe Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the version parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44840 | 1 Totolink | 2 Ca600-poe, Ca600-poe Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the svn parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44839 | 1 Totolink | 2 Ca600-poe, Ca600-poe Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the magicid parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44838 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2026-06-17 | N/A | 6.3 MEDIUM |
| TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setUploadUserData function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44837 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2026-06-17 | N/A | 6.3 MEDIUM |
| TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url or magicid parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44836 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2026-06-17 | N/A | 6.3 MEDIUM |
| TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setApRebootScheCfg function via the hour or minute parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-44835 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2026-06-17 | N/A | 6.3 MEDIUM |
| D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in iptablesWebsFilterRun, which allows remote attackers to execute arbitrary commands via shell. | |||||
| CVE-2025-44179 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Hitron CGNF-TWN 3.1.1.43-TWN-pre3 contains a command injection vulnerability in the telnet service. The issue arises due to improper input validation within the telnet command handling mechanism. An attacker can exploit this vulnerability by injecting arbitrary commands through the telnet interface when prompted for inputs or commands. Successful exploitation could lead to remote code execution (RCE) under the privileges of the telnet user, potentially allowing unauthorized access to system settings and sensitive information. | |||||
| CVE-2025-44176 | 1 Tenda | 2 Fh451, Fh451 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| Tenda FH451 V1.0.0.9 is vulnerable to Remote Code Execution in the formSafeEmailFilter function. | |||||
| CVE-2025-44084 | 1 Dlink | 2 Di-8100, Di-8100g Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system. | |||||
| CVE-2025-44023 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An issue in dlink DNS-320 v.1.00 and DNS-320LW v.1.01.0914.20212 allows an attacker to execute arbitrary via the account_mgr.cgi->cgi_chg_admin_pw components. | |||||
| CVE-2025-44015 | 1 Qnap | 1 Hybriddesk Station | 2026-06-17 | N/A | 8.4 HIGH |
| A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: HybridDesk Station 4.2.18 and later | |||||
| CVE-2025-43953 | 2026-06-17 | N/A | 8.8 HIGH | ||
| In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen. | |||||
| CVE-2025-43948 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier (such as for sorting), which will get executed on the server side. | |||||
| CVE-2025-43858 | 2026-06-17 | N/A | 9.2 CRITICAL | ||
| YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2. | |||||
| CVE-2025-43844 | 1 Rvc-project | 1 Retrieval-based-voice-conversion-webui | 2026-06-17 | N/A | 9.8 CRITICAL |
| Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user input and pass it to the click_train function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist. | |||||
| CVE-2025-43843 | 1 Rvc-project | 1 Retrieval-based-voice-conversion-webui | 2026-06-17 | N/A | 9.8 CRITICAL |
| Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take user input and pass it into the extract_f0_feature function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist. | |||||
| CVE-2025-43842 | 1 Rvc-project | 1 Retrieval-based-voice-conversion-webui | 2026-06-17 | N/A | 9.8 CRITICAL |
| Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and sr2 take user input and pass it to the preprocess_dataset function, which concatenates them into a command that is run on the server. This can lead to arbitrary command execution. As of time of publication, no known patches exist. | |||||
| CVE-2025-43714 | 1 Openai | 1 Chatgpt | 2026-06-17 | N/A | 6.5 MEDIUM |
| The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers. | |||||