Total
5718 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47228 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests. | |||||
| CVE-2025-67738 | 2026-04-15 | N/A | 8.5 HIGH | ||
| squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option). | |||||
| CVE-2026-20759 | 2026-04-15 | N/A | 8.8 HIGH | ||
| OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | |||||
| CVE-2025-7724 | 2026-04-15 | N/A | N/A | ||
| An unauthenticated OS command injection vulnerability exists in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407. | |||||
| CVE-2024-45721 | 2026-04-15 | N/A | 7.2 HIGH | ||
| home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain an OS command injection vulnerability in the HOST name configuration screen. An arbitrary OS command may be executed with the root privilege by an administrative user. | |||||
| CVE-2025-37126 | 2026-04-15 | N/A | 7.2 HIGH | ||
| A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN Gateways Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute arbitrary commands as root on the underlying operating system. | |||||
| CVE-2025-47203 | 2026-04-15 | N/A | 4.5 MEDIUM | ||
| dbclient in Dropbear SSH before 2025.88 allows command injection via an untrusted hostname argument, because a shell is used. | |||||
| CVE-2024-41956 | 2026-04-15 | N/A | 8.1 HIGH | ||
| Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5. | |||||
| CVE-2025-54763 | 2026-04-15 | N/A | 7.2 HIGH | ||
| FutureNet MA and IP-K series provided by Century Systems Co., Ltd. contain an OS command Injection vulnerability. A user who logs in to the Web UI of the product may execute an arbitrary OS command. | |||||
| CVE-2025-6978 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Diagnostics command injection vulnerability | |||||
| CVE-2025-6104 | 2026-04-15 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability, which was classified as critical, was found in Wifi-soft UniBox Controller up to 20250506. This affects an unknown part of the file /billing/pms_check.php. The manipulation of the argument ipaddress leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-28125 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation. | |||||
| CVE-2025-3361 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The web service of iSherlock from HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2025-53623 | 2026-04-15 | N/A | N/A | ||
| The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames. | |||||
| CVE-2025-43879 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in the telnet function. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed. | |||||
| CVE-2025-34132 | 2026-04-15 | N/A | N/A | ||
| A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. | |||||
| CVE-2025-27106 | 2026-04-15 | N/A | 8.8 HIGH | ||
| binance-trading-bot is an automated Binance trading bot with trailing buy/sell strategy. Authenticated users of binance-trading-bot can achieve Remote Code Execution on the host system due to a command injection vulnerability in the `/restore` endpoint. The restore endpoint of binance-trading-bot is vulnerable to command injection via the `/restore` endpoint. The name of the uploaded file is passed to shell.exec without sanitization other than path normalization, resulting in Remote Code Execution. This may allow any authorized user to execute code in the context of the host machine. This issue has been addressed in version 0.0.100 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-28750 | 2026-04-15 | N/A | 7.2 HIGH | ||
| A remote attacker with high privileges may use a deleting file function to inject OS commands. | |||||
| CVE-2025-12742 | 2026-04-15 | N/A | N/A | ||
| A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | |||||
| CVE-2025-50475 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname parameter in network configuration requests. This vulnerability stems from improper neutralization of special elements used in an OS command within the network configuration handler, enabling remote code execution with the highest privileges. | |||||