Total
4689 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3659 | 1 Kaongroup | 2 Ar2140, Ar2140 Firmware | 2025-10-03 | N/A | 7.2 HIGH |
| Firmware in KAON AR2140 routers prior to version 4.2.16 is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router. | |||||
| CVE-2024-13892 | 2025-10-03 | N/A | N/A | ||
| Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection. During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection. The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well. | |||||
| CVE-2025-59741 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/CLT/LOGINERRORFRM.ASP'. | |||||
| CVE-2025-59740 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_CAT.ASP'. | |||||
| CVE-2025-59739 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_original.ASP'. | |||||
| CVE-2025-10326 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected is an unknown function of the file /htdocs/api/playlist/single.php. Performing manipulation of the argument playlist results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10327 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/api/playlist/shuffle.php. Executing manipulation of the argument playlist can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59738 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_BET.ASP'. | |||||
| CVE-2025-10328 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2025-10-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/api/playlist/playsinglefile.php. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59737 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_LXA.ASP'. | |||||
| CVE-2025-10358 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10359 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in Wavlink WL-WN578W2 221110. This impacts the function sub_404DBC of the file /cgi-bin/wireless.cgi. The manipulation of the argument macAddr results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59736 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_DJO.ASP'. | |||||
| CVE-2025-59735 | 1 Andsoft | 1 E-tms | 2025-10-02 | N/A | 9.8 CRITICAL |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM.ASP'. | |||||
| CVE-2025-11148 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch names as they are (plain text) 2. It spawns git commands by concatenating user input Since a branch name is potentially a user input - as users can create branches remotely via pull requests, or simply due to privileged access to a repository - it can effectively be abused to run any command. | |||||
| CVE-2025-9762 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-30247 | 2025-10-02 | N/A | N/A | ||
| An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST. | |||||
| CVE-2025-10659 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account. | |||||
| CVE-2025-27262 | 1 Ericsson | 2 Indoor Connect 8855, Indoor Connect 8855 Firmware | 2025-10-02 | N/A | 7.8 HIGH |
| Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. | |||||
| CVE-2025-43020 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 6.8 MEDIUM |
| A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update. | |||||