Total
5700 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41266 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 7.2 HIGH |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | |||||
| CVE-2025-41267 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 7.2 HIGH |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | |||||
| CVE-2025-41269 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41270 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41272 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41274 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41275 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41276 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41277 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 9.8 CRITICAL |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | |||||
| CVE-2025-41279 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 7.2 HIGH |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 RX Host. | |||||
| CVE-2025-41281 | 1 Waterfall-security | 2 Wf-500, Wf-500 Firmware | 2026-06-01 | N/A | 7.8 HIGH |
| Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured. | |||||
| CVE-2026-44724 | 2026-06-01 | N/A | 7.8 HIGH | ||
| systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6. | |||||
| CVE-2026-45578 | 1 Wwbn | 1 Avideo | 2026-06-01 | N/A | 8.8 HIGH |
| WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands. | |||||
| CVE-2026-45152 | 2026-06-01 | N/A | 7.8 HIGH | ||
| uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1. | |||||
| CVE-2026-9645 | 2026-06-01 | N/A | 9.9 CRITICAL | ||
| Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root. | |||||
| CVE-2026-36045 | 2026-06-01 | N/A | 7.3 HIGH | ||
| picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete. | |||||
| CVE-2026-10214 | 2026-06-01 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component. | |||||
| CVE-2026-10219 | 2026-06-01 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance. | |||||
| CVE-2026-49366 | 1 Jetbrains | 1 Intellij Idea | 2026-06-01 | N/A | 7.8 HIGH |
| In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion | |||||
| CVE-2024-12970 | 2026-06-01 | N/A | 3.9 LOW | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TUBITAK BILGEM Pardus OS My Computer allows OS Command Injection. This issue affects Pardus OS My Computer: before 0.7.2. | |||||