Total
343 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7573 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts. | |||||
| CVE-2024-47516 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance. | |||||
| CVE-2026-0774 | 2026-04-15 | N/A | 8.8 HIGH | ||
| WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. | |||||
| CVE-2025-49008 | 2026-04-15 | N/A | N/A | ||
| Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system. | |||||
| CVE-2025-67858 | 2026-04-15 | N/A | N/A | ||
| A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31. | |||||
| CVE-2025-49520 | 2026-04-15 | N/A | 8.8 HIGH | ||
| A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access. | |||||
| CVE-2024-22182 | 2026-04-15 | N/A | 8.6 HIGH | ||
| A remote, unauthenticated attacker may be able to send crafted messages to the web server of the Commend WS203VICM causing the system to restart, interrupting service. | |||||
| CVE-2024-47611 | 2026-04-15 | N/A | N/A | ||
| XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected. | |||||
| CVE-2025-52459 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials. | |||||
| CVE-2025-46835 | 2026-04-15 | N/A | 8.5 HIGH | ||
| Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | |||||
| CVE-2025-68144 | 1 Lfprojects | 1 Model Context Protocol Servers | 2026-04-14 | N/A | 7.1 HIGH |
| In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpreted as command-line options rather than git refs, enabling arbitrary file overwrites. The fix adds validation that rejects arguments starting with - and verifies the argument resolves to a valid git ref via rev_parse before execution. Users are advised to update to 2025.12.17 resolve this issue when it is released. | |||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2026-04-08 | N/A | 8.1 HIGH |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | |||||
| CVE-2026-35538 | 1 Roundcube | 1 Webmail | 2026-04-07 | N/A | 3.1 LOW |
| An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search. | |||||
| CVE-2026-4438 | 1 Gnu | 1 Glibc | 2026-04-07 | N/A | 5.4 MEDIUM |
| Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. | |||||
| CVE-2026-29954 | 1 Cloudark | 1 Kubeplus | 2026-04-06 | N/A | 7.6 HIGH |
| In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection. | |||||
| CVE-2026-0634 | 2026-04-03 | N/A | 7.8 HIGH | ||
| Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection. | |||||
| CVE-2026-1715 | 1 Lenovo | 1 Vantage | 2026-03-25 | N/A | 7.1 HIGH |
| An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to modify arbitrary registry keys with elevated privileges. | |||||
| CVE-2026-1716 | 1 Lenovo | 1 Vantage | 2026-03-25 | N/A | 7.1 HIGH |
| An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to delete arbitrary registry keys with elevated privileges. | |||||
| CVE-2026-1717 | 1 Lenovo | 1 Vantage | 2026-03-25 | N/A | 5.5 MEDIUM |
| An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges. | |||||
| CVE-2026-23924 | 2026-03-25 | N/A | N/A | ||
| Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API. | |||||