Total
5719 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0787 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-18 | N/A | 9.8 CRITICAL |
| ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. | |||||
| CVE-2026-0795 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-18 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. | |||||
| CVE-2025-64111 | 1 Gogs | 1 Gogs | 2026-02-18 | N/A | 9.8 CRITICAL |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | |||||
| CVE-2020-37125 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-02-18 | N/A | 9.8 CRITICAL |
| Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. | |||||
| CVE-2026-22265 | 1 Roxy-wi | 1 Roxy-wi | 2026-02-18 | N/A | 7.5 HIGH |
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | |||||
| CVE-2026-0786 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-18 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. | |||||
| CVE-2026-24844 | 1 Chainguard | 1 Melange | 2026-02-18 | N/A | 7.9 HIGH |
| melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. | |||||
| CVE-2026-25143 | 1 Chainguard | 1 Melange | 2026-02-18 | N/A | 7.8 HIGH |
| melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. | |||||
| CVE-2020-37032 | 1 Wftpserver | 1 Wing Ftp Server | 2026-02-18 | N/A | 8.8 HIGH |
| Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function. | |||||
| CVE-2026-1731 | 1 Beyondtrust | 2 Privileged Remote Access, Remote Support | 2026-02-17 | N/A | 9.8 CRITICAL |
| BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | |||||
| CVE-2025-13444 | 1 Progress | 5 Connection Manager For Objectscale, Ecs Connection Manager, Loadmaster and 2 more | 2026-02-13 | N/A | 8.4 HIGH |
| OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | |||||
| CVE-2026-0781 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. | |||||
| CVE-2026-0780 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. | |||||
| CVE-2026-0782 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. | |||||
| CVE-2026-0652 | 1 Tp-link | 2 Tapo C260, Tapo C260 Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise. | |||||
| CVE-2026-0783 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. | |||||
| CVE-2026-0784 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. | |||||
| CVE-2026-0796 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 8.8 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. | |||||
| CVE-2026-25763 | 1 Openproject | 1 Openproject | 2026-02-13 | N/A | 9.9 CRITICAL |
| OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=--output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3. | |||||
| CVE-2025-51958 | 1 Aelsantex | 1 Runcommand | 2026-02-13 | N/A | 9.8 CRITICAL |
| aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. | |||||