Vulnerabilities (CVE)

Filtered by CWE-77
Total 3411 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-36983 1 Splunk 2 Splunk, Splunk Cloud Platform 2026-06-17 N/A 8.0 HIGH
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.
CVE-2024-36842 2026-06-17 N/A 7.3 HIGH
An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker to execute arbitrary code via the ADB port component.
CVE-2024-36783 1 Totolink 2 Lr350, Lr350 Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection via the host_time parameter in the NTPSyncWithHost function.
CVE-2024-36604 1 Tenda 2 O3, O3 Firmware 2026-06-17 N/A 9.8 CRITICAL
Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. This vulnerability allows attackers to execute arbitrary commands with root privileges.
CVE-2024-36138 2026-06-17 N/A 8.1 HIGH
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
CVE-2024-36073 2026-06-17 N/A 7.2 HIGH
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the shadowing component of the Endpoint Protector and Unify agent which allows an attacker with administrative access to the Endpoint Protector or Unify server to overwrite sensitive configuration and subsequently execute system commands with SYSTEM/root privileges on a chosen client endpoint.
CVE-2024-35522 1 Netgear 2 Ex3700, Ex3700 Firmware 2026-06-17 N/A 8.4 HIGH
Netgear EX3700 ' AC750 WiFi Range Extender Essentials Edition before 1.0.0.98 contains an authenticated command injection in operating_mode.cgi via the ap_mode parameter with ap_24g_manual set to 1 and ap_24g_manual_sec set to NotNone.
CVE-2024-35520 1 Netgear 2 R7000, R7000 Firmware 2026-06-17 N/A 8.4 HIGH
Netgear R7000 1.0.11.136 is vulnerable to Command Injection in RMT_invite.cgi via device_name2 parameter.
CVE-2024-35519 1 Netgear 6 Ex3700, Ex3700 Firmware, Ex6100 and 3 more 2026-06-17 N/A 8.4 HIGH
Netgear EX6120 v1.0.0.68, Netgear EX6100 v1.0.2.28, and Netgear EX3700 v1.0.0.96 are vulnerable to command injection in operating_mode.cgi via the ap_mode parameter.
CVE-2024-35518 1 Netgear 2 Ex6120, Ex6120 Firmware 2026-06-17 N/A 8.4 HIGH
Netgear EX6120 v1.0.0.68 is vulnerable to Command Injection in genie_fix2.cgi via the wan_dns1_pri parameter.
CVE-2024-35517 1 Netgear 2 Xr1000, Xr1000 Firmware 2026-06-17 N/A 8.4 HIGH
Netgear XR1000 v1.0.0.64 is vulnerable to command injection in usb_remote_smb_conf.cgi via the share_name parameter.
CVE-2024-35374 1 Mocodo 1 Mocodo Online 2026-06-17 N/A 9.8 CRITICAL
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.
CVE-2024-35340 1 Tenda 2 Fh1206, Fh1206 Firmware 2026-06-17 N/A 8.6 HIGH
Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the cmdinput parameter at ip/goform/formexeCommand.
CVE-2024-35285 1 Mitel 1 Micollab 2026-06-17 N/A 9.8 CRITICAL
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization.
CVE-2024-35242 2026-06-17 N/A 8.8 HIGH
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
CVE-2024-35241 2026-06-17 N/A 8.8 HIGH
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
CVE-2024-34852 1 F-logic 2 Datacube3, Datacube3 Firmware 2026-06-17 N/A 6.3 MEDIUM
F-logic DataCube3 v1.0 is affected by command injection due to improper string filtering at the command execution point in the ./admin/transceiver_schedule.php file. An unauthenticated remote attacker can exploit this vulnerability by sending a file name containing command injection. Successful exploitation of this vulnerability may allow the attacker to execute system commands.
CVE-2024-34792 1 Dextaz Ping Project 1 Dextaz Ping 2026-06-17 N/A 9.1 CRITICAL
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in dexta Dextaz Ping allows Command Injection.This issue affects Dextaz Ping: from n/a through 0.65.
CVE-2024-34713 2026-06-17 N/A 3.5 LOW
sshproxy is used on a gateway to transparently proxy a user SSH connection on the gateway to an internal host via SSH. Prior to version 1.6.3, any user authorized to connect to a ssh server using `sshproxy` can inject options to the `ssh` command executed by `sshproxy`. All versions of `sshproxy` are impacted. The problem is patched starting in version 1.6.3. The only workaround is to use the `force_command` option in `sshproxy.yaml`, but it's rarely relevant.
CVE-2024-34352 1 Fit2cloud 1 1panel 2026-06-17 N/A 6.5 MEDIUM
1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.