Total
5719 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-30303 | 1 Matterai | 1 Axon Code | 2026-04-02 | N/A | 9.8 CRITICAL |
| The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check. | |||||
| CVE-2026-32917 | 1 Openclaw | 1 Openclaw | 2026-04-02 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled. | |||||
| CVE-2026-3841 | 1 Tp-link | 2 Tl-mr6400, Tl-mr6400 Firmware | 2026-04-02 | N/A | 8.8 HIGH |
| A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability. | |||||
| CVE-2026-21861 | 1 Basercms | 1 Basercms | 2026-04-01 | N/A | 9.1 CRITICAL |
| baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3. | |||||
| CVE-2026-30877 | 1 Basercms | 1 Basercms | 2026-04-01 | N/A | 9.1 CRITICAL |
| baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3. | |||||
| CVE-2026-30880 | 1 Basercms | 1 Basercms | 2026-04-01 | N/A | 9.8 CRITICAL |
| baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3. | |||||
| CVE-2026-30312 | 2026-04-01 | N/A | 9.8 CRITICAL | ||
| DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction. | |||||
| CVE-2026-33030 | 1 Nginxui | 1 Nginx Ui | 2026-04-01 | N/A | 8.8 HIGH |
| Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches. | |||||
| CVE-2025-14213 | 2026-04-01 | N/A | N/A | ||
| Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) to execute arbitrary operating system commands as the root user on the Socket’s internal system. | |||||
| CVE-2025-15518 | 1 Tp-link | 8 Archer Nx200, Archer Nx200 Firmware, Archer Nx210 and 5 more | 2026-03-31 | N/A | 7.2 HIGH |
| Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. | |||||
| CVE-2025-15519 | 1 Tp-link | 8 Archer Nx200, Archer Nx200 Firmware, Archer Nx210 and 5 more | 2026-03-31 | N/A | 7.2 HIGH |
| Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. | |||||
| CVE-2026-27650 | 1 Buffalo | 92 Fs-m1266, Fs-m1266 Firmware, Fs-s1266 and 89 more | 2026-03-31 | N/A | 9.8 CRITICAL |
| OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products. | |||||
| CVE-2026-33623 | 1 Pinchtab | 1 Pinchtab | 2026-03-31 | N/A | 6.7 MEDIUM |
| PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue. | |||||
| CVE-2025-47901 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2026-03-31 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5. | |||||
| CVE-2025-47900 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2026-03-31 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5. | |||||
| CVE-2026-4946 | 2026-03-30 | N/A | 8.8 HIGH | ||
| Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine. | |||||
| CVE-2026-26831 | 1 Dbashford | 1 Textract | 2026-03-30 | N/A | 9.8 CRITICAL |
| textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization | |||||
| CVE-2026-26833 | 1 Mmahrous | 1 Thumbler | 2026-03-30 | N/A | 9.8 CRITICAL |
| thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping. | |||||
| CVE-2023-7338 | 2026-03-30 | N/A | 7.5 HIGH | ||
| Ruckus Unleashed contains a remote code execution vulnerability in the web-based management interface that allows authenticated remote attackers to execute arbitrary code on the system when gateway mode is enabled. Attackers can exploit this vulnerability by sending specially crafted requests through the management interface to achieve arbitrary code execution on affected systems. | |||||
| CVE-2026-0980 | 2 Logicminds, Redhat | 2 Rubyipmi, Satellite | 2026-03-27 | N/A | 8.3 HIGH |
| A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system. | |||||