Vulnerabilities (CVE)

Filtered by CWE-77
Total 3403 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-22544 1 Linksys 2 E1700, E1700 Firmware 2026-06-17 N/A 8.0 HIGH
An issue was discovered in Linksys Router E1700 version 1.0.04 (build 3), allows authenticated attackers to execute arbitrary code via the setDateTime function.
CVE-2024-22529 1 Totolink 2 X2000r, X2000r Firmware 2026-06-17 N/A 9.8 CRITICAL
TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa.
CVE-2024-22246 2026-06-17 N/A 7.4 HIGH
VMware SD-WAN Edge contains an unauthenticated command injection vulnerability potentially leading to remote code execution. A malicious actor with local access to the Edge Router UI during activation may be able to perform a command injection attack that could lead to full control of the router.
CVE-2024-22198 1 Nginxui 1 Nginx Ui 2026-06-17 N/A 7.1 HIGH
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.
CVE-2024-22197 1 Nginxui 1 Nginx Ui 2026-06-17 N/A 7.7 HIGH
Nginx-ui is online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9.
CVE-2024-22127 1 Sap 1 Netweaver Application Server Java 2026-06-17 N/A 9.1 CRITICAL
SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application.
CVE-2024-22122 1 Zabbix 1 Zabbix 2026-06-17 N/A 3.0 LOW
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
CVE-2024-22107 1 Gttb 1 Gtb Central Console 2026-06-17 N/A 7.2 HIGH
An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method systemSettingsDnsDataAction at /opt/webapp/src/AppBundle/Controller/React/SystemSettingsController.php is vulnerable to command injection via the /old/react/v1/api/system/dns/data endpoint. An authenticated attacker can abuse it to inject an arbitrary command and compromise the platform.
CVE-2024-22061 1 Ivanti 1 Avalanche 2026-06-17 N/A 9.8 CRITICAL
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
CVE-2024-21903 1 Qnap 2 Qts, Quts Hero 2026-06-17 N/A 6.6 MEDIUM
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
CVE-2024-21887 1 Ivanti 2 Connect Secure, Policy Secure 2026-06-17 N/A 9.1 CRITICAL
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVE-2024-21880 1 Enphase 2 Iq Gateway, Iq Gateway Firmware 2026-06-17 N/A 7.2 HIGH
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x
CVE-2024-21879 1 Enphase 2 Iq Gateway, Iq Gateway Firmware 2026-06-17 N/A 8.8 HIGH
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
CVE-2024-21878 1 Enphase 2 Iq Gateway, Iq Gateway Firmware 2026-06-17 N/A 9.8 CRITICAL
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
CVE-2024-21663 1 Demon1a 1 Discord-recon 2026-06-17 N/A 9.9 CRITICAL
Discord-Recon is a Discord bot created to automate bug bounty recon, automated scans and information gathering via a discord server. Discord-Recon is vulnerable to remote code execution. An attacker is able to execute shell commands in the server without having an admin role. This vulnerability has been fixed in version 0.0.8.
CVE-2024-21322 1 Microsoft 1 Defender For Iot 2026-06-17 N/A 7.2 HIGH
Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-21117 1 Oracle 1 Outside In Technology 2026-06-17 N/A 5.3 MEDIUM
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Core). Supported versions that are affected are 8.5.6 and 8.5.7. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVE-2024-20676 1 Microsoft 1 Azure Storage Mover 2026-06-17 N/A 8.0 HIGH
Azure Storage Mover Remote Code Execution Vulnerability
CVE-2024-20667 1 Microsoft 1 Azure Devops Server 2026-06-17 N/A 7.5 HIGH
Azure DevOps Server Remote Code Execution Vulnerability
CVE-2024-20492 1 Cisco 1 Telepresence Video Communication Server 2026-06-17 N/A 6.0 MEDIUM
A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have Administrator-level credentials with read-write privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a series of crafted CLI commands. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device. Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.