Total
3353 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8753 | 2026-05-18 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in kalcaddle Kodbox up to 1.64. This issue affects the function parseVideoInfo of the file /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php of the component fileThumb Plugin. The manipulation of the argument ffmpegBin leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-39054 | 2026-05-18 | N/A | 7.3 HIGH | ||
| Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands. The method starts a shell process and writes attacker-controlled command strings directly to the process standard input without sanitization. In affected deployments, this can result in arbitrary operating system command execution. | |||||
| CVE-2026-44257 | 2026-05-18 | N/A | N/A | ||
| efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010. | |||||
| CVE-2021-3855 | 1 Liman | 1 Port Mys | 2026-05-18 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Command Injection. This issue affects Liman Central Management System: from 1.7.0 before 1.8.3-462. | |||||
| CVE-2026-44866 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-15 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-41611 | 1 Microsoft | 1 Visual Studio Code | 2026-05-15 | N/A | 7.8 HIGH |
| Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally. | |||||
| CVE-2024-3566 | 6 Haskell, Microsoft, Nodejs and 3 more | 6 Process Library, Windows, Node.js and 3 more | 2026-05-15 | N/A | 9.8 CRITICAL |
| A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | |||||
| CVE-2026-44865 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-15 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-44867 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-44868 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-44869 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-44870 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-44854 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user. | |||||
| CVE-2026-44853 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user. | |||||
| CVE-2026-33111 | 1 Microsoft | 1 Copilot Chat | 2026-05-14 | N/A | 7.5 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-44871 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-14 | N/A | 7.2 HIGH |
| Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2026-36741 | 2026-05-14 | N/A | 7.2 HIGH | ||
| U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands through crafted input fields. These commands are executed with elevated privileges, leading to potential full system compromise. | |||||
| CVE-2026-44872 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2026-05-13 | N/A | 7.2 HIGH |
| A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device. | |||||
| CVE-2026-42893 | 1 Microsoft | 1 Outlook | 2026-05-13 | N/A | 7.4 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network. | |||||
| CVE-2026-43990 | 2026-05-13 | N/A | 8.4 HIGH | ||
| JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1. | |||||