Vulnerabilities (CVE)

Filtered by CWE-77
Total 3411 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-34347 2026-06-17 N/A 8.3 HIGH
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
CVE-2024-34338 1 Tenda 2 O3, O3 Firmware 2026-06-17 N/A 7.2 HIGH
Tenda O3V2 with firmware versions V1.0.0.10 and V1.0.0.12 was discovered to contain a Blind Command Injection via dest parameter in /goform/getTraceroute. This vulnerability allows attackers to execute arbitrary commands with root privileges. Authentication is required to exploit this vulnerability.
CVE-2024-34218 1 Totolink 2 Cp450, Cp450 Firmware 2026-06-17 N/A 3.8 LOW
TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter.
CVE-2024-34206 1 Totolink 2 Cp450, Cp450 Firmware 2026-06-17 N/A 6.5 MEDIUM
TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter.
CVE-2024-34204 1 Totolink 2 Cp450, Cp450 Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter.
CVE-2024-34166 1 Wavlink 2 Wl-wn533a8, Wl-wn533a8 Firmware 2026-06-17 N/A 10.0 CRITICAL
An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2024-33789 1 Linksys 2 E5600, E5600 Firmware 2026-06-17 N/A 9.8 CRITICAL
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the ipurl parameter at /API/info form endpoint.
CVE-2024-33788 1 Linksys 2 E5600, E5600 Firmware 2026-06-17 N/A 8.0 HIGH
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the PinCode parameter at /API/info form endpoint.
CVE-2024-33508 1 Fortinet 1 Forticlient Enterprise Management Server 2026-06-17 N/A 7.3 HIGH
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in Fortinet FortiClientEMS 7.2.0 through 7.2.4, 7.0.0 through 7.0.12 may allow an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests.
CVE-2024-33469 2026-06-17 N/A 7.9 HIGH
An issue in Team Amaze Amaze File Manager v.3.8.5 and fixed in v.3.10 allows a local attacker to execute arbitrary code via the onCreate method of DatabaseViewerActivity.java.
CVE-2024-33439 2026-06-17 N/A 9.1 CRITICAL
An issue in Kasda LinkSmart Router KW5515 v1.7 and before allows an authenticated remote attacker to execute arbitrary OS commands via cgi parameters.
CVE-2024-33344 1 Dlink 2 Dir-822\+, Dir-822\+ Firmware 2026-06-17 N/A 9.8 CRITICAL
D-Link DIR-822+ V1.0.5 was found to contain a command injection in ftext function of upload_firmware.cgi, which allows remote attackers to execute arbitrary commands via shell.
CVE-2024-33342 1 Dlink 2 Dir-822\+, Dir-822\+ Firmware 2026-06-17 N/A 7.5 HIGH
D-Link DIR-822+ V1.0.5 was found to contain a command injection in SetPlcNetworkpwd function of prog.cgi, which allows remote attackers to execute arbitrary commands via shell.
CVE-2024-33113 1 Dlink 2 Dir-845l, Dir-845l Firmware 2026-06-17 N/A 5.3 MEDIUM
D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php.
CVE-2024-33112 1 Dlink 2 Dir-845l, Dir-845l Firmware 2026-06-17 N/A 7.5 HIGH
D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command injection via the hnap_main()func.
CVE-2024-32884 2026-06-17 N/A 6.4 MEDIUM
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.
CVE-2024-32766 1 Qnap 3 Qts, Quts Hero, Qutscloud 2026-06-17 N/A 10.0 CRITICAL
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
CVE-2024-32355 1 Totolink 2 X5000r, X5000r Firmware 2026-06-17 N/A 8.0 HIGH
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'password' parameter in the setSSServer function.
CVE-2024-32354 1 Totolink 2 X5000r, X5000r Firmware 2026-06-17 N/A 6.0 MEDIUM
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'timeout' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi.
CVE-2024-32353 1 Totolink 2 X5000r, X5000r Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi.