Vulnerabilities (CVE)

Filtered by CWE-77
Total 3412 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-39028 1 Seacms 1 Seacms 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php.
CVE-2024-38903 1 H3c 2 Magic R230, Magic R230 Firmware 2026-06-17 N/A 4.1 MEDIUM
H3C Magic R230 V100R002's udpserver opens port 9034, allowing attackers to execute arbitrary commands.
CVE-2024-38896 1 Wavlink 2 Wn551k1, Wn551k1 Firmware 2026-06-17 N/A 5.3 MEDIUM
WAVLINK WN551K1 found a command injection vulnerability through the start_hour parameter of /cgi-bin/nightled.cgi.
CVE-2024-38894 1 Wavlink 2 Wn551k1, Wn551k1 Firmware 2026-06-17 N/A 5.3 MEDIUM
WAVLINK WN551K1 found a command injection vulnerability through the IP parameter of /cgi-bin/touchlist_sync.cgi.
CVE-2024-38831 1 Vmware 2 Aria Operations, Cloud Foundation 2026-06-17 N/A 7.8 HIGH
VMware Aria Operations contains a local privilege escalation vulnerability.  A malicious actor with local administrative privileges can insert malicious commands into the properties file to escalate privileges to  a root user on the appliance running VMware Aria Operations.
CVE-2024-38817 2026-06-17 N/A 6.7 MEDIUM
VMware NSX contains a command injection vulnerability.  A malicious actor with access to the NSX Edge CLI terminal may be able to craft malicious payloads to execute arbitrary commands on the operating system as root.
CVE-2024-38644 1 Qnap 1 Notes Station 3 2026-06-17 N/A 8.8 HIGH
An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later
CVE-2024-38641 1 Qnap 2 Qts, Quts Hero 2026-06-17 N/A 7.8 HIGH
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later
CVE-2024-38492 2026-06-17 N/A N/A
This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.
CVE-2024-38486 1 Dell 1 Smartfabric Os10 2026-06-17 N/A 7.5 HIGH
Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x , contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution.
CVE-2024-38288 1 Rhubcom 1 Turbomeeting 2026-06-17 N/A 7.2 HIGH
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.
CVE-2024-38228 1 Microsoft 1 Sharepoint Server 2026-06-17 N/A 7.2 HIGH
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-38227 1 Microsoft 1 Sharepoint Server 2026-06-17 N/A 7.2 HIGH
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-37782 2026-06-17 N/A 9.8 CRITICAL
An LDAP injection vulnerability in the login page of Gladinet CentreStack v13.12.9934.54690 allows attackers to access sensitive data or execute arbitrary commands via a crafted payload injected into the username field.
CVE-2024-37642 1 Trendnet 2 Tew-814dap, Tew-814dap Firmware 2026-06-17 N/A 9.1 CRITICAL
TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck .
CVE-2024-37570 1 Mitel 2 6869i Sip, 6869i Sip Firmware 2026-06-17 N/A 8.8 HIGH
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
CVE-2024-37569 1 Mitel 2 6869i Sip, 6869i Sip Firmware 2026-06-17 N/A 8.8 HIGH
An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.
CVE-2024-37385 2 Microsoft, Roundcube 2 Windows, Webmail 2026-06-17 N/A 9.8 CRITICAL
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
CVE-2024-37186 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 9.1 CRITICAL
An os command injection vulnerability exists in the adm.cgi set_ledonoff() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2024-37091 1 Stylemixthemes 1 Consulting Elementor Widgets 2026-06-17 N/A 9.9 CRITICAL
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in StylemixThemes Consulting Elementor Widgets, StylemixThemes Masterstudy Elementor Widgets allows OS Command Injection.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0; Masterstudy Elementor Widgets: from n/a through 1.2.2.