Vulnerabilities (CVE)

Filtered by CWE-77
Total 3412 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-40110 1 Nikhil-bhalerao 1 Poultry Farm Management System 2026-06-17 N/A 9.8 CRITICAL
Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php.
CVE-2024-40070 1 Oretnom23 1 Online Id Generator System 2026-06-17 N/A 5.1 MEDIUM
Sourcecodester Online ID Generator System 1.0 was discovered to contain an arbitrary file upload vulnerability via id_generator/classes/Users.php?f=save. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2024-3908 1 Tenda 2 Ac500, Ac500 Firmware 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical has been found in Tenda AC500 2.0.1.9(1307). Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261144. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-3871 2026-06-17 N/A 9.8 CRITICAL
The Delta Electronics DVW-W02W2-E2 devices expose a web administration interface to users. This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote unauthenticated attackers to gain remote code execution with elevated privileges on the affected devices. This issue affects DVW-W02W2-E2 through version 2.5.2.
CVE-2024-3659 1 Kaongroup 2 Ar2140, Ar2140 Firmware 2026-06-17 N/A 7.2 HIGH
Firmware in KAON AR2140 routers, prior to versions 3.2.50 and 4.2.16, is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router.
CVE-2024-3566 6 Haskell, Microsoft, Nodejs and 3 more 6 Process Library, Windows, Node.js and 3 more 2026-06-17 N/A 9.8 CRITICAL
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
CVE-2024-3483 1 Microfocus 1 Imanager 2026-06-17 N/A 7.8 HIGH
Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues.
CVE-2024-3400 1 Paloaltonetworks 1 Pan-os 2026-06-17 N/A 10.0 CRITICAL
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
CVE-2024-3273 1 Dlink 40 Dnr-202l, Dnr-202l Firmware, Dnr-322l and 37 more 2026-06-17 7.5 HIGH 7.3 HIGH
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
CVE-2024-3271 1 Llamaindex 1 Llamaindex 2026-06-17 N/A 9.8 CRITICAL
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.
CVE-2024-3154 2026-06-17 N/A 7.2 HIGH
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
CVE-2024-3116 2 Fedoraproject, Pgadmin 2 Fedora, Pgadmin 4 2026-06-17 N/A 7.4 HIGH
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.
CVE-2024-3009 1 Tenda 2 Fh1205, Fh1205 Firmware 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability has been found in Tenda FH1205 2.0.0.7(775) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-39963 1 Tenda 4 Ax12, Ax12 Firmware, Ax9 and 1 more 2026-06-17 N/A 8.0 HIGH
AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 and AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 were discovered to contain an authenticated remote command execution (RCE) vulnerability via the macFilterType parameter at /goform/setMacFilterCfg.
CVE-2024-39914 1 Fogproject 1 Fogproject 2026-06-17 N/A 9.8 CRITICAL
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34.
CVE-2024-39783 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_week` POST parameter.
CVE-2024-39782 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_min` POST parameter.
CVE-2024-39781 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
Multiple OS command injection vulnerabilities exist in the adm.cgi sch_reboot() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `restart_hour` POST parameter.
CVE-2024-39765 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `custom_interface` POST parameter.
CVE-2024-39764 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
Multiple OS command injection vulnerabilities exist in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists in the `dest` POST parameter.