Total
5311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24788 | 2026-02-03 | N/A | 8.8 HIGH | ||
|
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
|
|||||
| CVE-2025-9974 | 2026-02-03 | N/A | 8.0 HIGH | ||
|
The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device.
|
|||||
| CVE-2026-22550 | 2026-02-03 | N/A | 7.2 HIGH | ||
|
OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution.
|
|||||
| CVE-2021-47748 | 1 Hasura | 1 Graphql Engine | 2026-02-02 | N/A | 9.8 CRITICAL |
|
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
|
|||||
| CVE-2021-47851 | 1 Yodinfo | 1 Mini Mouse | 2026-02-02 | N/A | 9.8 CRITICAL |
|
Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands.
|
|||||
| CVE-2025-33206 | 2 Linux, Nvidia | 2 Linux Kernel, Nsight Graphics | 2026-02-02 | N/A | 7.8 HIGH |
|
NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service.
|
|||||
| CVE-2025-33230 | 2 Linux, Nvidia | 2 Linux Kernel, Cuda Toolkit | 2026-02-02 | N/A | 7.3 HIGH |
|
NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure.
|
|||||
| CVE-2025-33228 | 1 Nvidia | 1 Cuda Toolkit | 2026-02-02 | N/A | 7.3 HIGH |
|
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.
|
|||||
| CVE-2024-2421 | 1 Honeywell | 1 Lenels2 Netbox | 2026-02-02 | N/A | 9.8 CRITICAL |
|
LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.
|
|||||
| CVE-2026-1505 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2026-01-30 | 8.3 HIGH | 7.2 HIGH |
|
A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2026-1506 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2026-01-30 | 8.3 HIGH | 7.2 HIGH |
|
A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2026-0765 | 1 Openwebui | 1 Open Webui | 2026-01-30 | N/A | 8.8 HIGH |
|
Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability.
The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this ...
Show More |
|||||
| CVE-2024-50388 | 1 Qnap | 1 Hybrid Backup Sync | 2026-01-30 | N/A | 9.8 CRITICAL |
|
An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands.
We have already fixed the vulnerability in the following version:
HBS 3 Hybrid Backup Sync 25.1.1.673 and later
|
|||||
| CVE-2026-1324 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-30 | 9.0 HIGH | 8.8 HIGH |
|
A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any wa ...
Show More |
|||||
| CVE-2022-50919 | 1 Tdarr | 1 Tdarr | 2026-01-29 | N/A | 9.8 CRITICAL |
|
Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication.
|
|||||
| CVE-2020-37012 | 2026-01-29 | N/A | 9.8 CRITICAL | ||
|
Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action.
|
|||||
| CVE-2015-10145 | 1 Gargoyle-router | 1 Gargoyle | 2026-01-29 | N/A | 8.8 HIGH |
|
Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.
|
|||||
| CVE-2025-33234 | 2026-01-29 | N/A | 7.8 HIGH | ||
|
NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
|
|||||
| CVE-2020-37002 | 2026-01-29 | N/A | 9.8 CRITICAL | ||
|
Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port.
|
|||||
| CVE-2025-56092 | 1 Ruijie | 4 Rg-ew300t, Rg-ew300t Firmware, X30 Pro and 1 more | 2026-01-29 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
|
|||||
| CVE-2025-1676 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-8890 | 2026-01-28 | N/A | N/A | ||
|
Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks.
In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports.
|
|||||
| CVE-2026-1448 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2026-01-28 | 8.3 HIGH | 7.2 HIGH |
|
A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2026-22035 | 1 Getgreenshot | 1 Greenshot | 2026-01-27 | N/A | 7.7 HIGH |
|
Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311.
|
|||||
| CVE-2025-56101 | 1 Ruijie | 4 M18-ew, M18-ew Firmware, Rg-ew1200r and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
|
|||||
| CVE-2025-56089 | 1 Ruijie | 4 M18-ew, M18-ew Firmware, Rg-ew300g Pro and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
|
|||||
| CVE-2025-56098 | 1 Ruijie | 4 Rg-ew300 Pro, Rg-ew300 Pro Firmware, X30 Pro and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
|
|||||
| CVE-2025-56093 | 1 Ruijie | 6 Rg-eap602, Rg-eap602 Firmware, Rg-ew300 Pro and 3 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua.
|
|||||
| CVE-2025-56094 | 1 Ruijie | 4 Rg-ew300 Pro, Rg-ew300 Pro Firmware, X30 Pro and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay.lua.
|
|||||
| CVE-2025-56095 | 1 Ruijie | 4 Rg-eap602, Rg-eap602 Firmware, Rg-ew1200g Pro and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
|
|||||
| CVE-2025-56090 | 1 Ruijie | 4 Rg-ew1200g Pro, Rg-ew1200g Pro Firmware, Rg-ew1200r and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
|
|||||
| CVE-2025-56123 | 1 Ruijie | 4 Rg-ew1200g Pro, Rg-ew1200g Pro Firmware, Rg-ew1300g and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
|
|||||
| CVE-2025-56091 | 1 Ruijie | 4 Rg-ew1800gx, Rg-ew1800gx Firmware, Rg-ew300r and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
|
|||||
| CVE-2025-56097 | 1 Ruijie | 4 Rg-ew1800gx Pro, Rg-ew1800gx Pro Firmware, Rg-ew300n and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
|
|||||
| CVE-2025-56102 | 1 Ruijie | 4 Rg-ew1800gx, Rg-ew1800gx Firmware, Rg-ew300r and 1 more | 2026-01-27 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
|
|||||
| CVE-2025-56108 | 1 Ruijie | 10 Rg-eap602, Rg-eap602 Firmware, Rg-est310 and 7 more | 2026-01-26 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.
|
|||||
| CVE-2025-56088 | 1 Ruijie | 2 Rg-bcr860, Rg-bcr860 Firmware | 2026-01-26 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua.
|
|||||
| CVE-2025-56109 | 1 Ruijie | 2 Rg-bcr860, Rg-bcr860 Firmware | 2026-01-26 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless.lua.
|
|||||
| CVE-2024-31976 | 1 Engeniustech | 2 Ews356-fir, Ews356-fir Firmware | 2026-01-26 | N/A | 8.0 HIGH |
|
EnGenius EWS356-FIR 1.1.30 and earlier devices allow a remote attacker to execute arbitrary OS commands via the Controller connectivity parameter.
|
|||||
| CVE-2025-56106 | 1 Ruijie | 4 Rg-est350, Rg-est350 Firmware, Rg-ew1800gx and 1 more | 2026-01-26 | N/A | 8.8 HIGH |
|
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
|
|||||