Total
3353 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-9435 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | |||||
| CVE-2026-9457 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-9407 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setFirewallType of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-9432 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-9388 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-9408 | 2026-05-26 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | |||||
| CVE-2026-9277 | 2026-05-23 | N/A | 8.1 HIGH | ||
| shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`. | |||||
| CVE-2026-45585 | 1 Microsoft | 4 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 and 1 more | 2026-05-22 | N/A | 6.8 MEDIUM |
| Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable. | |||||
| CVE-2026-35070 | 1 Dell | 1 Smartfabric Storage Software | 2026-05-22 | N/A | 6.4 MEDIUM |
| Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | |||||
| CVE-2024-12251 | 1 Progress | 1 Telerik Ui For Winui | 2026-05-21 | N/A | 7.8 HIGH |
| In Progress Telerik UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements. | |||||
| CVE-2026-8632 | 1 Hp | 1 Linux Imaging And Printing | 2026-05-21 | N/A | 7.8 HIGH |
| A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection. | |||||
| CVE-2026-2740 | 2026-05-21 | N/A | 8.4 HIGH | ||
| Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency. | |||||
| CVE-2026-24712 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | N/A | 7.3 HIGH |
| Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection. | |||||
| CVE-2026-46508 | 1 Vercel | 1 Turborepo Language Server Protocol | 2026-05-19 | N/A | 7.8 HIGH |
| Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000. | |||||
| CVE-2026-8767 | 1 Vercel | 1 Ai | 2026-05-19 | 4.6 MEDIUM | 5.0 MEDIUM |
| A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57282 | 2026-05-18 | N/A | 8.8 HIGH | ||
| ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection. | |||||
| CVE-2026-8774 | 2026-05-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Edimax BR-6228NC 1.22. Affected by this issue is the function mp of the file /goform/mp of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8777 | 2026-05-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrv_ssid results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-42258 | 1 Ruby-lang | 1 Net\ | 2026-05-18 | N/A | 9.8 CRITICAL |
| Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | |||||
| CVE-2026-42257 | 1 Ruby-lang | 1 Net\ | 2026-05-18 | N/A | 9.8 CRITICAL |
| Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | |||||