Total
309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49520 | 2025-07-03 | N/A | 8.8 HIGH | ||
| A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access. | |||||
| CVE-2024-38655 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-06-27 | N/A | 7.2 HIGH |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||||
| CVE-2024-38656 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-06-27 | N/A | 9.1 CRITICAL |
| Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||||
| CVE-2022-28391 | 1 Busybox | 1 Busybox | 2025-06-09 | 6.8 MEDIUM | 8.8 HIGH |
| BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | |||||
| CVE-2025-49008 | 2025-06-05 | N/A | N/A | ||
| Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system. | |||||
| CVE-2025-3945 | 2 Blackberry, Tridium | 3 Qnx, Niagara, Niagara Enterprise Security | 2025-06-05 | N/A | 7.2 HIGH |
| Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2024-23731 | 1 Embedchain | 1 Embedchain | 2025-06-04 | N/A | 9.8 CRITICAL |
| The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument. | |||||
| CVE-2022-37027 | 1 Ahsay | 1 Cloud Backup Suite | 2025-05-28 | N/A | 7.2 HIGH |
| Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user. | |||||
| CVE-2022-42968 | 1 Gitea | 1 Gitea | 2025-05-14 | N/A | 9.8 CRITICAL |
| Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled. | |||||
| CVE-2021-26937 | 3 Debian, Fedoraproject, Gnu | 3 Debian Linux, Fedora, Screen | 2025-05-09 | 7.5 HIGH | 9.8 CRITICAL |
| encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. | |||||
| CVE-2021-46850 | 1 Vestacp | 2 Control Panel, Vesta Control Panel | 2025-05-07 | N/A | 7.2 HIGH |
| myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint. | |||||
| CVE-2022-23221 | 3 Debian, H2database, Oracle | 3 Debian Linux, H2, Communications Cloud Native Core Console | 2025-05-05 | 10.0 HIGH | 9.8 CRITICAL |
| H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. | |||||
| CVE-2022-45062 | 3 Debian, Fedoraproject, Xfce | 3 Debian Linux, Fedora, Xfce4-settings | 2025-05-01 | N/A | 9.8 CRITICAL |
| In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. | |||||
| CVE-2022-23740 | 1 Github | 1 Enterprise Server | 2025-04-28 | N/A | 8.8 HIGH |
| CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2016-1000222 | 1 Elastic | 1 Logstash | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | |||||
| CVE-2017-14591 | 1 Atlassian | 2 Crucible, Fisheye | 2025-04-20 | 9.3 HIGH | 9.0 CRITICAL |
| Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software. | |||||
| CVE-2025-21613 | 1 Go-git Project | 1 Go-git | 2025-04-17 | N/A | 9.8 CRITICAL |
| go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. | |||||
| CVE-2025-32931 | 2025-04-15 | N/A | 9.1 CRITICAL | ||
| DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a specific php artisan command. | |||||
| CVE-2022-47926 | 1 Ayacms Project | 1 Ayacms | 2025-04-15 | N/A | 9.8 CRITICAL |
| AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php | |||||
| CVE-2022-46883 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 8.8 HIGH |
| Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.<br />*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107. This vulnerability affects Firefox < 107. | |||||