Vulnerabilities (CVE)

Filtered by CWE-77
Total 3410 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-25613 1 Arubanetworks 1 Arubaos 2026-06-17 N/A 7.2 HIGH
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
CVE-2024-25612 1 Arubanetworks 1 Arubaos 2026-06-17 N/A 7.2 HIGH
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
CVE-2024-25611 1 Arubanetworks 1 Arubaos 2026-06-17 N/A 7.2 HIGH
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
CVE-2024-25255 2026-06-17 N/A 9.8 CRITICAL
Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. NOTE: multiple third parties report that this is intended behavior.
CVE-2024-25228 1 Vinchin 1 Vinchin Backup And Recovery 2026-06-17 N/A 8.8 HIGH
Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.
CVE-2024-25082 3 Debian, Fedoraproject, Fontforge 3 Debian Linux, Fedora, Fontforge 2026-06-17 N/A 6.5 MEDIUM
Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.
CVE-2024-25081 3 Debian, Fedoraproject, Fontforge 3 Debian Linux, Fedora, Fontforge 2026-06-17 N/A 4.2 MEDIUM
Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
CVE-2024-24551 1 Bludit 1 Bludit 2026-06-17 N/A 8.8 HIGH
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVE-2024-24550 1 Bludit 1 Bludit 2026-06-17 N/A 8.1 HIGH
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
CVE-2024-24377 1 Idocv 1 Idocview 2026-06-17 N/A 9.8 CRITICAL
An issue in idocv v.14.1.3_20231228 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script.
CVE-2024-24301 1 4ipnet 2 Eap-767, Eap-767 Firmware 2026-06-17 N/A 8.8 HIGH
Command Injection vulnerability discovered in 4ipnet EAP-767 device v3.42.00 within the web interface of the device allows attackers with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges.
CVE-2024-24216 1 Easycorp 1 Zentao 2026-06-17 N/A 9.8 CRITICAL
Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.
CVE-2024-23971 1 Chargepoint 6 Home Flex Hardwired, Home Flex Hardwired Firmware, Home Flex Nema 14-50 Plug and 3 more 2026-06-17 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2024-23749 1 9bis 1 Kitty 2026-06-17 N/A 7.8 HIGH
KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.
CVE-2024-23745 1 Notion 1 Web Clipper 2026-06-17 N/A 9.8 CRITICAL
In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack. NIB files can be manipulated to execute arbitrary commands. Additionally, even if a NIB file is modified within an application, Gatekeeper may still permit the execution of the application, enabling the execution of arbitrary commands within the application's context. NOTE: the vendor's perspective is that this is simply an instance of CVE-2022-48505, cannot properly be categorized as a product-level vulnerability, and cannot have a product-level fix because it is about incorrect caching of file signatures on macOS.
CVE-2024-23628 1 Motorola 2 Mr2600, Mr2600 Firmware 2026-06-17 7.7 HIGH 9.0 CRITICAL
A command injection vulnerability exists in the 'SaveStaticRouteIPv6Params' parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.
CVE-2024-23627 1 Motorola 2 Mr2600, Mr2600 Firmware 2026-06-17 7.7 HIGH 9.0 CRITICAL
A command injection vulnerability exists in the 'SaveStaticRouteIPv4Params' parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.
CVE-2024-23626 1 Motorola 2 Mr2600, Mr2600 Firmware 2026-06-17 7.7 HIGH 9.0 CRITICAL
A command injection vulnerability exists in the ‘SaveSysLogParams’ parameter of the Motorola MR2600. A remote attacker can exploit this vulnerability to achieve command execution. Authentication is required, however can be bypassed.
CVE-2024-23625 1 Dlink 2 Dap-1650, Dap-1650 Firmware 2026-06-17 8.3 HIGH 9.6 CRITICAL
A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.
CVE-2024-23624 1 Dlink 2 Dap-1650, Dap-1650 Firmware 2026-06-17 8.3 HIGH 9.6 CRITICAL
A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root.