Total
3060 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12442 | 2025-05-13 | N/A | 9.8 CRITICAL | ||
|
EnerSys AMPA versions 24.04 through 24.16, inclusive, are vulnerable to command injection leading to privileged remote shell access.
|
|||||
| CVE-2024-11861 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
|
EnerSys AMPA 22.09 and prior versions are vulnerable to command injection leading to privileged remote shell access.
|
|||||
| CVE-2022-43367 | 1 Ip-com | 2 Ew9, Ew9 Firmware | 2025-05-12 | N/A | 9.8 CRITICAL |
|
IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the formSetDebugCfg function.
|
|||||
| CVE-2025-4122 | 1 Netgear | 2 Jwnr2000v2, Jwnr2000v2 Firmware | 2025-05-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Netgear JWNR2000v2 1.0.0.11. It has been rated as critical. Affected by this issue is the function sub_435E04. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-44023 | 2025-05-12 | N/A | 6.5 MEDIUM | ||
|
An issue in dlink DNS-320 v.1.00 and DNS-320LW v.1.01.0914.20212 allows an attacker to execute arbitrary via the account_mgr.cgi->cgi_chg_admin_pw components.
|
|||||
| CVE-2025-29509 | 2025-05-12 | N/A | 8.8 HIGH | ||
|
Jan v0.5.14 and before is vulnerable to remote code execution (RCE) when the user clicks on a rendered link in the conversation, due to opening external website in the app and the exposure of electronAPI, with a lack of filtering of URL when calling shell.openExternal().
|
|||||
| CVE-2025-4350 | 1 Dlink | 2 Dir-600l, Dir-600l Firmware | 2025-05-12 | 9.0 HIGH | 8.8 HIGH |
|
A vulnerability classified as critical was found in D-Link DIR-600L up to 2.07B01. This vulnerability affects the function wake_on_lan. The manipulation of the argument host leads to command injection. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2025-4349 | 1 Dlink | 2 Dir-600l, Dir-600l Firmware | 2025-05-12 | 9.0 HIGH | 8.8 HIGH |
|
A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2025-4032 | 1 Inclusionai | 1 Aworld | 2025-05-10 | 4.6 MEDIUM | 5.0 MEDIUM |
|
A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Th ...
Show More |
|||||
| CVE-2025-4089 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | N/A | 5.1 MEDIUM |
|
Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138.
|
|||||
| CVE-2024-52739 | 1 Dlink | 2 Di-8400, Di-8400 Firmware | 2025-05-09 | N/A | 8.0 HIGH |
|
D-LINK DI-8400 v16.07.26A1 was discovered to contain multiple remote command execution (RCE) vulnerabilities in the msp_info_htm function via the flag and cmd parameters.
|
|||||
| CVE-2025-45009 | 1 Phpgurukul | 1 Park Ticketing Management System | 2025-05-09 | N/A | 5.3 MEDIUM |
|
A HTML Injection vulnerability was discovered in the normal-search.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the searchdata parameter.
|
|||||
| CVE-2025-45010 | 1 Phpgurukul | 1 Park Ticketing Management System | 2025-05-09 | N/A | 5.3 MEDIUM |
|
A HTML Injection vulnerability was discovered in the normal-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the fromdate and todate POST request parameters.
|
|||||
| CVE-2025-45011 | 1 Phpgurukul | 1 Park Ticketing Management System | 2025-05-09 | N/A | 5.3 MEDIUM |
|
A HTML Injection vulnerability was discovered in the foreigner-search.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the searchdata POST request parameter.
|
|||||
| CVE-2025-29154 | 2025-05-08 | N/A | 6.5 MEDIUM | ||
|
HTML injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the .galera.app/ted/solicitacao_treinamento/, .galera.app/rh/metas/perspectiva_estrategica/edicao/, .galera.app/rh/cadastros/perspectivas/listagem/adc/, .galera.app/escolaridade/listagem/, .galera.app/estados_civis/cadastro/, .galera.app/nivel_hierarquico/listagem/, .galera.app/nivel_decisorio/cadastro/, .galera.app/escolaridade/cadastro/, .galera.app/nivel_decisorio/listagem/ ...
Show More |
|||||
| CVE-2024-24216 | 1 Easycorp | 1 Zentao | 2025-05-08 | N/A | 9.8 CRITICAL |
|
Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.
|
|||||
| CVE-2025-3987 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-07 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-57235 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_enable function.
|
|||||
| CVE-2024-57234 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function.
|
|||||
| CVE-2024-57233 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) v1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function.
|
|||||
| CVE-2024-57232 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function.
|
|||||
| CVE-2024-57231 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function.
|
|||||
| CVE-2024-57230 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.
|
|||||
| CVE-2024-57229 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function.
|
|||||
| CVE-2025-45042 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
|
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.
|
|||||
| CVE-2024-51186 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-05-07 | N/A | 8.0 HIGH |
|
D-Link DIR-820L 1.05b03 was discovered to contain a remote code execution (RCE) vulnerability via the ping_addr parameter in the ping_v4 and ping_v6 functions.
|
|||||
| CVE-2025-46816 | 2025-05-07 | N/A | 9.4 CRITICAL | ||
|
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.
|
|||||
| CVE-2025-26262 | 2025-05-07 | N/A | 6.5 MEDIUM | ||
|
An issue in the component /internals/functions of R-fx Networks Linux Malware Detect v1.6.5 allows attackers to escalate privileges and execute arbitrary code via supplying a file that contains a crafted filename.
|
|||||
| CVE-2025-46735 | 2025-05-07 | N/A | N/A | ||
|
Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authenticated command injection in the underlyding powershell command prompt. Version 1.0.5 contains a fix for the issue.
|
|||||
| CVE-2024-29435 | 1 Alldata | 1 Alldata | 2025-05-07 | N/A | 4.1 MEDIUM |
|
An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter.
|
|||||
| CVE-2025-28017 | 1 Totolink | 2 A800r, A800r Firmware | 2025-05-06 | N/A | 6.5 MEDIUM |
|
TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERY_STRING parameter.
|
|||||
| CVE-2024-22061 | 1 Ivanti | 1 Avalanche | 2025-05-06 | N/A | 9.8 CRITICAL |
|
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
|
|||||
| CVE-2023-49959 | 1 Indu-sol | 1 Profinet-inspektor Nt | 2025-05-05 | N/A | 9.8 CRITICAL |
|
In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands with root privileges via a crafted filename parameter in POST requests to the /api/updater/ctrl/start_update endpoint.
|
|||||
| CVE-2018-9866 | 1 Sonicwall | 1 Global Management System | 2025-05-05 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code. This vulnerability affected GMS version 8.1 and earlier.
|
|||||
| CVE-2020-10826 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-05-05 | 10.0 HIGH | 9.8 CRITICAL |
|
/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode.
|
|||||
| CVE-2023-26801 | 1 Lb-link | 8 Bl-ac1900, Bl-ac1900 Firmware, Bl-lte300 and 5 more | 2025-05-05 | N/A | 9.8 CRITICAL |
|
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.
|
|||||
| CVE-2022-43109 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-05-05 | N/A | 9.8 CRITICAL |
|
D-Link DIR-823G v1.0.2 was found to contain a command injection vulnerability in the function SetNetworkTomographySettings. This vulnerability allows attackers to execute arbitrary commands via a crafted packet.
|
|||||
| CVE-2025-4076 | 2025-05-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability classified as critical has been found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function easy_uci_set_option_string_0 of the file /cgi-bin/lighttpd.cgi of the component Password Handler. The manipulation of the argument routepwd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2023-0830 | 1 Easynas | 1 Easynas | 2025-05-01 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
|
|||||
| CVE-2025-28145 | 1 Edimax | 2 Br-6478ac V3, Br-6478ac V3 Firmware | 2025-05-01 | N/A | 6.5 MEDIUM |
|
Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat.
|
|||||