Total
5719 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52379 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below contains an authenticated command injection vulnerability in the firmware update feature. The /web/um_fileName_set.cgi and /web/um_web_upgrade.cgi endpoints fail to properly sanitize the upgradeFileName parameter, allowing authenticated attackers to execute arbitrary OS commands on the device, resulting in remote code execution. | |||||
| CVE-2024-3799 | 2026-04-15 | N/A | N/A | ||
| Insecure handling of POST header parameter body included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a shell command execution. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. Phoniebox in version 3.0 and higher are not affected. | |||||
| CVE-2025-23237 | 2026-04-15 | N/A | 6.6 MEDIUM | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed. | |||||
| CVE-2024-6333 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products. | |||||
| CVE-2025-43875 | 2026-04-15 | N/A | N/A | ||
| Under certain circumstances a successful exploitation could result in access to the device. | |||||
| CVE-2012-10029 | 2026-04-15 | N/A | N/A | ||
| Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | |||||
| CVE-2025-34147 | 2026-04-15 | N/A | N/A | ||
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise. | |||||
| CVE-2025-58116 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker. | |||||
| CVE-2025-34095 | 2026-04-15 | N/A | N/A | ||
| An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments. | |||||
| CVE-2025-53695 | 2026-04-15 | N/A | N/A | ||
| OS Command Injection in iSTAR Ultra products web application allows an authenticated attacker to gain even more privileged access ('root' user) to the device firmware. | |||||
| CVE-2024-52010 | 2026-04-15 | N/A | N/A | ||
| Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized. | |||||
| CVE-2025-9976 | 2026-04-15 | N/A | 9.0 CRITICAL | ||
| An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could allow an attacker to execute arbitrary code on the user's machine. | |||||
| CVE-2025-11900 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2024-40893 | 2026-04-15 | N/A | 6.8 MEDIUM | ||
| Multiple authenticated operating system (OS) command injection vulnerabilities exist in Firewalla Box Software versions before 1.979. A physically close attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes. | |||||
| CVE-2025-34056 | 2026-04-15 | N/A | N/A | ||
| An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges. | |||||
| CVE-2025-46334 | 2026-04-15 | N/A | 8.6 HIGH | ||
| Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | |||||
| CVE-2024-42502 | 2026-04-15 | N/A | 7.2 HIGH | ||
| Authenticated command injection vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability result in the ability to inject shell commands on the underlying operating system. | |||||
| CVE-2024-8934 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed. | |||||
| CVE-2024-9139 | 2026-04-15 | N/A | 7.2 HIGH | ||
| The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. | |||||
| CVE-2024-33434 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering. | |||||