Total
4462 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-48108 | 1 Dlink | 2 Dir 878, Dir 878 Firmware | 2025-03-28 | N/A | 9.8 CRITICAL |
| D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /SetNetworkSettings/SubnetMask. This vulnerability allows attackers to escalate privileges to root via a crafted payload. | |||||
| CVE-2022-48107 | 1 Dlink | 2 Dir 878, Dir 878 Firmware | 2025-03-28 | N/A | 9.8 CRITICAL |
| D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted payload. | |||||
| CVE-2022-48072 | 1 Phicomm | 2 K2, K2 Firmware | 2025-03-28 | N/A | 7.8 HIGH |
| Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | |||||
| CVE-2022-48070 | 1 Phicomm | 2 K2, K2 Firmware | 2025-03-28 | N/A | 7.8 HIGH |
| Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | |||||
| CVE-2022-48069 | 1 Totolink | 2 A830r, A830r Firmware | 2025-03-28 | N/A | 7.5 HIGH |
| Totolink A830R V4.1.2cu.5182 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter. | |||||
| CVE-2024-4577 | 3 Fedoraproject, Microsoft, Php | 3 Fedora, Windows, Php | 2025-03-28 | N/A | 9.8 CRITICAL |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | |||||
| CVE-2022-21129 | 1 Paypal | 1 Nemo-appium | 2025-03-27 | N/A | 7.4 HIGH |
| Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies. | |||||
| CVE-2025-2733 | 2025-03-27 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in mannaandpoem OpenManus up to 2025.3.13. This affects an unknown part of the file app/tool/python_execute.py of the component Prompt Handler. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-23076 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2025-03-27 | N/A | 9.8 CRITICAL |
| OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. | |||||
| CVE-2022-48624 | 1 Greenwoodsoftware | 1 Less | 2025-03-27 | N/A | 7.8 HIGH |
| close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. | |||||
| CVE-2022-46552 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2025-03-27 | N/A | 8.8 HIGH |
| D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. | |||||
| CVE-2022-25916 | 1 Mt7688-wiscan Project | 1 Mt7688-wiscan | 2025-03-27 | N/A | 7.4 HIGH |
| Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function. | |||||
| CVE-2022-28810 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-03-27 | 7.1 HIGH | 6.8 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | |||||
| CVE-2022-25906 | 1 Is-http2 Project | 1 Is-http2 | 2025-03-26 | N/A | 7.4 HIGH |
| All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function. | |||||
| CVE-2018-10562 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2025-03-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. | |||||
| CVE-2022-25855 | 1 Create-choo-app3 Project | 1 Create-choo-app3 | 2025-03-25 | N/A | 7.4 HIGH |
| All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization. | |||||
| CVE-2024-42978 | 1 Tenda | 2 Fh1206, Fh1206 Firmware | 2025-03-25 | N/A | 9.8 CRITICAL |
| An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2024-33896 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2025-03-25 | N/A | 7.2 HIGH |
| Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3. | |||||
| CVE-2025-1316 | 1 Edimax | 2 Ic-7100, Ic-7100 Firmware | 2025-03-25 | N/A | 9.8 CRITICAL |
| Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device | |||||
| CVE-2022-45768 | 1 Edimax | 2 Br-6428ns, Br-6428ns Firmware | 2025-03-25 | N/A | 8.8 HIGH |
| Command Injection vulnerability in Edimax Technology Co., Ltd. Wireless Router N300 Firmware BR428nS v3 allows attacker to execute arbitrary code via the formWlanMP function. | |||||