Total
4249 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15415 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472. | |||||
| CVE-2024-51450 | 2025-02-06 | N/A | 9.1 CRITICAL | ||
| IBM Security Verify Directory 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. | |||||
| CVE-2025-20029 | 2025-02-05 | N/A | 8.8 HIGH | ||
| Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-25759 | 1 Uniguest | 1 Tripleplay | 2025-02-05 | N/A | 5.4 MEDIUM |
| OS Command Injection in TripleData Reporting Engine in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated users to run unprivileged OS level commands via a crafted request payload. | |||||
| CVE-2023-49897 | 1 Fxc | 4 Ae1021, Ae1021 Firmware, Ae1021pe and 1 more | 2025-02-04 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product. | |||||
| CVE-2020-8515 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. | |||||
| CVE-2025-24971 | 2025-02-04 | N/A | N/A | ||
| DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability. | |||||
| CVE-2021-27561 | 1 Yealink | 1 Device Management | 2025-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication. | |||||
| CVE-2024-48008 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | N/A | 5.3 MEDIUM |
| Dell RecoverPoint for Virtual Machines 6.0.x contains a OS Command Injection vulnerability. An Low privileged remote attacker could potentially exploit this vulnerability leading to information disclosure ,allowing of unintended actions like reading files that may contain sensitive information | |||||
| CVE-2024-22461 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | N/A | 8.8 HIGH |
| Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system. | |||||
| CVE-2024-23690 | 2025-02-04 | N/A | 7.2 HIGH | ||
| The end-of-life Netgear FVS336Gv2 and FVS336Gv3 are affected by a command injection vulnerability in the Telnet interface. An authenticated and remote attacker can execute arbitrary OS commands as root over Telnet by sending crafted "util backup_configuration" commands. | |||||
| CVE-2024-48890 | 1 Fortinet | 1 Fortisoar Imap Connector | 2025-02-03 | N/A | 6.6 MEDIUM |
| An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted playbook | |||||
| CVE-2024-50566 | 1 Fortinet | 2 Fortimanager, Fortimanager Cloud | 2025-02-03 | N/A | 7.2 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager versions 7.6.0 through 7.6.1, versions 7.4.5 through 7.4.0, and versions 7.2.1 through 7.2.8, FortiManager Cloud versions 7.6.0 through 7.6.1, versions 7.4.0 through 7.4.4, and versions 7.2.2 through 7.2.7 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. | |||||
| CVE-2024-0740 | 1 Eclipse | 1 Target Management | 2025-02-03 | N/A | 9.8 CRITICAL |
| Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | |||||
| CVE-2024-56497 | 1 Fortinet | 2 Fortimail, Fortirecorder | 2025-02-03 | N/A | 6.7 MEDIUM |
| An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 through 6.4.4 allows attacker to execute unauthorized code or commands via the CLI. | |||||
| CVE-2024-25626 | 1 Linuxfoundation | 1 Yocto | 2025-02-03 | N/A | 8.8 HIGH |
| Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2. | |||||
| CVE-2023-25313 | 1 Wwbn | 1 Avideo | 2025-02-03 | N/A | 9.8 CRITICAL |
| OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. | |||||
| CVE-2023-33617 | 1 Eparks | 2 Fiberlink 210, Fiberlink 210 Firmware | 2025-01-31 | N/A | 7.2 HIGH |
| An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter. | |||||
| CVE-2023-37937 | 1 Fortinet | 1 Fortiswitch | 2025-01-31 | N/A | 7.8 HIGH |
| An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized code or commands via the FortiSwitch CLI. | |||||
| CVE-2024-27778 | 1 Fortinet | 1 Fortisandbox | 2025-01-31 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in Fortinet FortiSandbox version 4.4.0 through 4.4.4, 4.2.0 through 4.2.6 and below 4.0.4 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. | |||||