Total
5719 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25041 | 1 Budibase | 1 Budibase | 2026-03-13 | N/A | 7.2 HIGH |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts. | |||||
| CVE-2026-26982 | 1 Ghostty | 1 Ghostty | 2026-03-13 | N/A | 6.3 MEDIUM |
| Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0. | |||||
| CVE-2025-70039 | 1 Linagora | 1 Twake | 2026-03-13 | N/A | 9.8 CRITICAL |
| An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223. | |||||
| CVE-2026-20040 | 2026-03-12 | N/A | 8.8 HIGH | ||
| A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system. | |||||
| CVE-2024-14026 | 1 Qnap | 2 Qts, Quts Hero | 2026-03-12 | N/A | 7.8 HIGH |
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later | |||||
| CVE-2025-66178 | 1 Fortinet | 1 Fortiweb | 2026-03-12 | N/A | 7.2 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request. | |||||
| CVE-2026-25063 | 1 Gradle | 1 Gradle-completion | 2026-03-12 | N/A | 7.8 HIGH |
| gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`. | |||||
| CVE-2019-25441 | 1 Kostasmitroglou | 1 Thesystem | 2026-03-12 | N/A | 9.8 CRITICAL |
| thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication. | |||||
| CVE-2026-25070 | 1 Seekswan | 2 Zikestor Sks8310-8x, Zikestor Sks8310-8x Firmware | 2026-03-12 | N/A | 9.8 CRITICAL |
| XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch. | |||||
| CVE-2026-1427 | 1 Wellchoose | 1 Single Sign-on Portal System | 2026-03-11 | N/A | 8.8 HIGH |
| Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2026-1428 | 1 Wellchoose | 1 Single Sign-on Portal System | 2026-03-11 | N/A | 8.8 HIGH |
| Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | |||||
| CVE-2026-23816 | 2026-03-11 | N/A | 7.2 HIGH | ||
| A vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | |||||
| CVE-2025-65791 | 1 Zoneminder | 1 Zoneminder | 2026-03-11 | N/A | 9.8 CRITICAL |
| ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php. | |||||
| CVE-2026-29058 | 1 Wwbn | 1 Avideo-encoder | 2026-03-10 | N/A | 9.8 CRITICAL |
| AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0. | |||||
| CVE-2023-47104 | 2 Linux, Vareille | 2 Linux Kernel, Tinyfiledialogs | 2026-03-10 | N/A | 9.8 CRITICAL |
| tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters. | |||||
| CVE-2026-22277 | 1 Dell | 1 Unity Operating Environment | 2026-03-10 | N/A | 7.8 HIGH |
| Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | |||||
| CVE-2026-21418 | 1 Dell | 1 Unity Operating Environment | 2026-03-10 | N/A | 7.8 HIGH |
| Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | |||||
| CVE-2026-28391 | 1 Openclaw | 1 Openclaw | 2026-03-10 | N/A | 9.8 CRITICAL |
| OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations. | |||||
| CVE-2026-24517 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route. | |||||
| CVE-2026-24663 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 9.0 CRITICAL |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body. | |||||