Total
5014 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7243 | 1 Comtech | 2 Stampede Fx-1010, Stampede Fx-1010 Firmware | 2026-01-02 | 9.0 HIGH | 7.2 HIGH |
| Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve remote code execution by navigating to the Fetch URL page and entering shell metacharacters in the URL field. (In some cases, authentication can be achieved with the comtech password for the comtech account.) | |||||
| CVE-2025-34049 | 2025-12-31 | N/A | N/A | ||
| An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC. | |||||
| CVE-2021-47745 | 2025-12-31 | N/A | 8.8 HIGH | ||
| Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges. | |||||
| CVE-2025-15388 | 2025-12-31 | N/A | 8.8 HIGH | ||
| VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2025-15389 | 2025-12-31 | N/A | 8.8 HIGH | ||
| VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2021-47747 | 2025-12-31 | N/A | 8.8 HIGH | ||
| meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the 'COMMANDx' and 'LIVECOMMANDx' POST parameters to execute arbitrary system commands with administrative privileges. | |||||
| CVE-2023-53945 | 1 Brainycp | 1 Brainycp | 2025-12-31 | N/A | 8.8 HIGH |
| BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port. | |||||
| CVE-2016-15048 | 1 Amttgroup | 1 Hibos | 2025-12-31 | N/A | 9.8 CRITICAL |
| AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC. | |||||
| CVE-2025-63408 | 1 Ispyconnect | 1 Agent Dvr | 2025-12-31 | N/A | 7.8 HIGH |
| Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands. | |||||
| CVE-2025-56130 | 1 Ruijie | 4 Rg-nbs5100-24gt4sfp, Rg-nbs5100-24gt4sfp Firmware, Rg-s1930 and 1 more | 2025-12-31 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua. | |||||
| CVE-2025-63414 | 1 Allskyteam | 1 Allsky | 2025-12-31 | N/A | 10.0 CRITICAL |
| A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE). | |||||
| CVE-2019-25243 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-30 | N/A | 8.8 HIGH |
| FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters. | |||||
| CVE-2025-13700 | 2025-12-29 | N/A | 7.2 HIGH | ||
| DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of DreamFactory. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the saveZipFile method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26589. | |||||
| CVE-2025-14500 | 2025-12-29 | N/A | 9.8 CRITICAL | ||
| IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394. | |||||
| CVE-2019-25255 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
| VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access. | |||||
| CVE-2025-43875 | 2025-12-29 | N/A | N/A | ||
| Under certain circumstances a successful exploitation could result in access to the device. | |||||
| CVE-2025-43876 | 2025-12-29 | N/A | N/A | ||
| Under certain circumstances a successful exploitation could result in access to the device. | |||||
| CVE-2025-66203 | 2025-12-29 | N/A | 9.9 CRITICAL | ||
| StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | |||||
| CVE-2025-68922 | 2025-12-29 | N/A | 7.4 HIGH | ||
| OpenOps before 0.6.11 allows remote code execution in the Terraform block. | |||||
| CVE-2025-30004 | 1 Xorcom | 1 Completepbx | 2025-12-27 | N/A | 8.8 HIGH |
| Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | |||||