Total
5214 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23816 | 2026-03-11 | N/A | 7.2 HIGH | ||
| A vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2025-15568 | 2026-03-11 | N/A | N/A | ||
| A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device. This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107. | |||||
| CVE-2025-65791 | 1 Zoneminder | 1 Zoneminder | 2026-03-11 | N/A | 9.8 CRITICAL |
| ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php. | |||||
| CVE-2026-29058 | 1 Wwbn | 1 Avideo-encoder | 2026-03-10 | N/A | 9.8 CRITICAL |
| AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0. | |||||
| CVE-2023-47104 | 2 Linux, Vareille | 2 Linux Kernel, Tinyfiledialogs | 2026-03-10 | N/A | 9.8 CRITICAL |
| tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters. | |||||
| CVE-2026-3696 | 1 Totolink | 2 N300rh, N300rh Firmware | 2026-03-10 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in Totolink N300RH 6..1c.1353_B20190305. The affected element is the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-22277 | 1 Dell | 1 Unity Operating Environment | 2026-03-10 | N/A | 7.8 HIGH |
| Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | |||||
| CVE-2026-21418 | 1 Dell | 1 Unity Operating Environment | 2026-03-10 | N/A | 7.8 HIGH |
| Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | |||||
| CVE-2026-28391 | 1 Openclaw | 1 Openclaw | 2026-03-10 | N/A | 9.8 CRITICAL |
| OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations. | |||||
| CVE-2026-28517 | 1 Opendcim | 1 Opendcim | 2026-03-10 | N/A | 9.8 CRITICAL |
| openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process. | |||||
| CVE-2026-24517 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route. | |||||
| CVE-2026-24663 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 9.0 CRITICAL |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body. | |||||
| CVE-2026-24689 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action. | |||||
| CVE-2026-24695 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route, leading to remote code execution. | |||||
| CVE-2026-25109 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution. | |||||
| CVE-2026-25111 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the restore route. | |||||
| CVE-2026-25195 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route. | |||||
| CVE-2026-28774 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 8.8 HIGH |
| An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges. | |||||
| CVE-2026-28773 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 8.8 HIGH |
| The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges. | |||||
| CVE-2024-55021 | 1 Weintek | 3 Cmt-3072xh2, Cmt-3072xh2 Firmware, Easyweb | 2026-03-09 | N/A | 7.5 HIGH |
| Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded password in the FTP protocol. | |||||