Total
3358 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25274 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. | |||||
| CVE-2025-24861 | 1 Outbackpower | 2 Mojave Inverter Oghi8048a, Mojave Inverter Oghi8048a Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| An attacker may inject commands via specially-crafted post requests. | |||||
| CVE-2025-24333 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file. | |||||
| CVE-2025-24293 | 2026-06-17 | N/A | N/A | ||
| # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact ------ This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: ``` <%= image_tag blob.variant(params[:t] => params[:v]) %> ``` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ------- Thank you [lio346](https://hackerone.com/lio346) for reporting this! | |||||
| CVE-2025-24285 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Multiple Improper Input Validation vulnerabilities in UniFi Connect EV Station Lite may allow a Command Injection by a malicious actor with network access to the UniFi Connect EV Station Lite. Affected Products: UniFi Connect EV Station Lite (Version 1.5.1 and earlier) Mitigation: Update UniFi Connect EV Station Lite to Version 1.5.2 or later | |||||
| CVE-2025-24150 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-06-17 | N/A | 8.8 HIGH |
| A privacy issue was addressed with improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Copying a URL from Web Inspector may lead to command injection. | |||||
| CVE-2025-24049 | 1 Microsoft | 1 Azure Command-line Interface | 2026-06-17 | N/A | 8.4 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in Azure Command Line Integration (CLI) allows an unauthorized attacker to elevate privileges locally. | |||||
| CVE-2025-23239 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2026-06-17 | N/A | 8.7 HIGH |
| When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-23196 | 1 Apache | 1 Ambari | 2026-06-17 | N/A | 8.8 HIGH |
| A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari. | |||||
| CVE-2025-23170 | 2026-06-17 | N/A | 6.7 MEDIUM | ||
| The Versa Director SD-WAN orchestration platform includes functionality to initiate SSH sessions to remote CPEs and the Director shell via Shell-In-A-Box. The underlying Python script, shell-connect.py, is vulnerable to command injection through the user argument. This allows an attacker to execute arbitrary commands on the system. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions. | |||||
| CVE-2025-23119 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An Improper Neutralization of Escape Sequences vulnerability could allow an Authentication Bypass with a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras adjacent network. | |||||
| CVE-2025-23094 | 2026-06-17 | N/A | 7.3 HIGH | ||
| The Platform component of Mitel OpenScape 4000 and OpenScape 4000 Manager V11 R0.22.0 through V11 R0.22.1, V10 R1.54.0 through V10 R1.54.1, and V10 R1.42.6 and earlier could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the same privilege level as the web access process. | |||||
| CVE-2025-23052 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2025-22962 | 2026-06-17 | N/A | 7.2 HIGH | ||
| A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover. | |||||
| CVE-2025-22949 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| Tenda ac9 v1.0 firmware v15.03.05.19 is vulnerable to command injection in /goform/SetSambaCfg, which may lead to remote arbitrary code execution. | |||||
| CVE-2025-22941 | 1 Adtran | 2 411, 411 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the web interface of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | |||||
| CVE-2025-22939 | 1 Adtran | 2 411, 411 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | |||||
| CVE-2025-22912 | 1 Edimax | 2 Re11s, Re11s Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept. | |||||
| CVE-2025-22630 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0. | |||||
| CVE-2025-22481 | 1 Qnap | 2 Qts, Quts Hero | 2026-06-17 | N/A | 8.8 HIGH |
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later | |||||