Total
5002 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22265 | 2026-01-16 | N/A | 7.5 HIGH | ||
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | |||||
| CVE-2026-20759 | 2026-01-16 | N/A | 8.8 HIGH | ||
| OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | |||||
| CVE-2025-62193 | 2026-01-16 | N/A | 9.8 CRITICAL | ||
| Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. | |||||
| CVE-2025-7404 | 2 Gelbphoenix, Janeczku | 2 Autocaliweb, Calibre-web | 2026-01-16 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | |||||
| CVE-2025-15472 | 1 Trendnet | 2 Tew-811dru, Tew-811dru Firmware | 2026-01-15 | 8.3 HIGH | 7.2 HIGH |
| A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-60738 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2026-01-15 | N/A | 9.8 CRITICAL |
| An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters | |||||
| CVE-2026-21267 | 3 Adobe, Apple, Microsoft | 3 Dreamweaver, Macos, Windows | 2026-01-14 | N/A | 8.6 HIGH |
| Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | |||||
| CVE-2025-69269 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. | |||||
| CVE-2025-66052 | 1 Vivotek | 2 Ip7137, Ip7137 Firmware | 2026-01-14 | N/A | 7.2 HIGH |
| Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | |||||
| CVE-2026-22718 | 2026-01-14 | N/A | 6.8 MEDIUM | ||
| The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | |||||
| CVE-2022-50909 | 2026-01-14 | N/A | 8.8 HIGH | ||
| Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. | |||||
| CVE-2024-52961 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. | |||||
| CVE-2024-27778 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.5 through 3.0.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. | |||||
| CVE-2023-26210 | 1 Fortinet | 2 Fortiadc, Fortiadc Manager | 2026-01-14 | N/A | 7.8 HIGH |
| Multiple improper neutralization of special elements used in an os command ('OS Command Injection') vulnerabilties [CWE-78] vulnerability in Fortinet allows a local authenticated attacker to execute arbitrary shell code as `root` user via crafted CLI requests. | |||||
| CVE-2024-23109 | 1 Fortinet | 1 Fortisiem | 2026-01-14 | N/A | 10.0 CRITICAL |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests. | |||||
| CVE-2024-23108 | 1 Fortinet | 1 Fortisiem | 2026-01-14 | N/A | 10.0 CRITICAL |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests. | |||||
| CVE-2024-21756 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 8.8 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted requests.. | |||||
| CVE-2023-47540 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 6.7 MEDIUM |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.0.5 through 3.0.7 allows attacker to execute unauthorized code or commands via CLI. | |||||
| CVE-2023-34992 | 1 Fortinet | 1 Fortisiem | 2026-01-14 | N/A | 10.0 CRITICAL |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests. | |||||
| CVE-2024-50566 | 1 Fortinet | 2 Fortimanager, Fortimanager Cloud | 2026-01-14 | N/A | 7.2 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiManager Cloud 7.6.0 through 7.6.1, FortiManager Cloud 7.4.0 through 7.4.4, FortiManager Cloud 7.2.2 through 7.2.7, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.0 through 7.4.5, FortiManager 7.2.1 through 7.2.8 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. | |||||