Total
5212 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32968 | 2026-03-23 | N/A | 9.8 CRITICAL | ||
| Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383. | |||||
| CVE-2026-4558 | 2026-03-23 | 9.0 HIGH | 8.8 HIGH | ||
| A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-21532 | 2026-03-21 | N/A | 7.3 HIGH | ||
| All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API. | |||||
| CVE-2026-32238 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 9.1 CRITICAL |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2025-34037 | 2026-03-20 | N/A | N/A | ||
| An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC. | |||||
| CVE-2026-22209 | 1 Gvectors | 1 Wpdiscuz | 2026-03-20 | N/A | 8.8 HIGH |
| thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise. | |||||
| CVE-2026-31854 | 1 Anysphere | 1 Cursor | 2026-03-20 | N/A | 8.8 HIGH |
| Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0. | |||||
| CVE-2026-31975 | 1 Cloudcli | 1 Cloud Cli | 2026-03-20 | N/A | 9.8 CRITICAL |
| Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated into a bash command string without any sanitization, enabling arbitrary OS command execution. A secondary injection vector exists via unsanitized sessionId. This vulnerability is fixed in 1.25.0. | |||||
| CVE-2026-32191 | 2026-03-20 | N/A | 9.8 CRITICAL | ||
| Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-4465 | 2026-03-20 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A flaw has been found in D-Link DIR-513 1.10. The impacted element is an unknown function of the file /goform/formSysCmd. Executing a manipulation of the argument sysCmd can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-4253 | 1 Tenda | 2 Ac8, Ac8 Firmware | 2026-03-20 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-22225 | 1 Tp-link | 2 Archer Be230, Archer Be230 Firmware | 2026-03-19 | N/A | 7.2 HIGH |
| A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2 and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108. | |||||
| CVE-2026-0630 | 1 Tp-link | 2 Archer Be230, Archer Be230 Firmware | 2026-03-19 | N/A | 8.0 HIGH |
| An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) and Archer AXE75 v1.0 allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108. | |||||
| CVE-2025-67041 | 1 Lantronix | 4 Eds3008ps1ns, Eds3008ps1ns Firmware, Eds3016ps1ns and 1 more | 2026-03-19 | N/A | 9.8 CRITICAL |
| An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | |||||
| CVE-2025-70082 | 1 Lantronix | 4 Eds3008ps1ns, Eds3008ps1ns Firmware, Eds3016ps1ns and 1 more | 2026-03-19 | N/A | 9.8 CRITICAL |
| An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | |||||
| CVE-2026-22176 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands through environment variable values containing metacharacters like &, |, ^, %, or ! to achieve command execution when the scheduled task script is generated and executed. | |||||
| CVE-2026-27566 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands. | |||||
| CVE-2026-31999 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.3 MEDIUM |
| OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution. | |||||
| CVE-2026-31994 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-19 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context. | |||||
| CVE-2026-31995 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-19 | N/A | 5.3 MEDIUM |
| OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments. | |||||