Total
4695 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24938 | 1 Nokia | 1 Wavesuite Noc | 2025-08-11 | N/A | 8.4 HIGH |
| The web application allows user input to pass unfiltered to a command executed on the underlying operating system. An attacker with high privileged access (administrator) to the application has the potential execute commands on the operating system under the context of the webserver. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. Has the potential to inject command while creating a new User from User Management. | |||||
| CVE-2025-54314 | 2025-08-10 | N/A | 2.8 LOW | ||
| Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments." | |||||
| CVE-2023-42123 | 1 Control-webpanel | 1 Webpanel | 2025-08-09 | N/A | 8.8 HIGH |
| Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific flaw exists within the mysql_manager module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21080. | |||||
| CVE-2023-42122 | 1 Control-webpanel | 1 Webpanel | 2025-08-09 | N/A | 7.8 HIGH |
| Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the cwpsrv process, which listens on the loopback interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-21079. | |||||
| CVE-2023-42120 | 1 Control-webpanel | 1 Webpanel | 2025-08-09 | N/A | 8.8 HIGH |
| Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific flaw exists within the dns_zone_editor module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20581. | |||||
| CVE-2012-10041 | 2025-08-08 | N/A | N/A | ||
| WAN Emulator v2.3 contains two unauthenticated command execution vulnerabilities. The result.php script calls shell_exec() with unsanitized input from the pc POST parameter, allowing remote attackers to execute arbitrary commands as the www-data user. The system also includes a SUID-root binary named dosu, which is vulnerable to command injection via its first argument. An attacker can exploit both flaws in sequence to achieve full remote code execution and escalate privileges to root. | |||||
| CVE-2012-10046 | 2025-08-08 | N/A | N/A | ||
| The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system. | |||||
| CVE-2010-10013 | 2025-08-08 | N/A | N/A | ||
| An unauthenticated remote command execution vulnerability exists in AjaXplorer (now known as Pydio Cells) versions prior to 2.6. The flaw resides in the checkInstall.php script within the access.ssh plugin, which fails to properly sanitize user-supplied input to the destServer GET parameter. By injecting shell metacharacters, remote attackers can execute arbitrary system commands on the server with the privileges of the web server process. | |||||
| CVE-2025-54958 | 2025-08-08 | N/A | 6.3 MEDIUM | ||
| Powered BLUE 870 versions 0.20130927 and prior contain an OS command injection vulnerability. If this vulnerability is exploited, arbitrary OS commands may be executed on the affected product. | |||||
| CVE-2022-43654 | 1 Netgear | 4 Cax30, Cax30 Firmware, Cax30s and 1 more | 2025-08-08 | N/A | 8.8 HIGH |
| NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the token parameter provided to the sso.php endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-18227. | |||||
| CVE-2024-51450 | 1 Ibm | 1 Security Verify Directory | 2025-08-08 | N/A | 9.1 CRITICAL |
| IBM Security Verify Directory 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | |||||
| CVE-2024-6247 | 1 Wyze | 2 Cam V3, Cam V3 Firmware | 2025-08-08 | N/A | 6.8 MEDIUM |
| Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SSIDs embedded in scanned QR codes. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22337. | |||||
| CVE-2025-8697 | 2025-08-07 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in agentUniverse up to 0.0.18 and classified as critical. This issue affects the function StdioServerParameters of the component MCPSessionManager/MCPTool/MCPToolkit. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8629 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26252. | |||||
| CVE-2025-8628 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26064. | |||||
| CVE-2025-8630 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26253. | |||||
| CVE-2025-8631 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254. | |||||
| CVE-2025-8632 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26255. | |||||
| CVE-2025-8633 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26256. | |||||
| CVE-2025-8637 | 1 Jvckenwood | 2 Dmx958xr, Dmx958xr Firmware | 2025-08-07 | N/A | 6.8 MEDIUM |
| Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26260. | |||||