Total
1788 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51941 | 1 Apache | 1 Ambari | 2025-06-09 | N/A | N/A |
| A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari. | |||||
| CVE-2024-22900 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-06 | N/A | 8.8 HIGH |
| Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function. | |||||
| CVE-2025-22481 | 2025-06-06 | N/A | N/A | ||
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later | |||||
| CVE-2024-22729 | 1 Netis-systems | 2 Mw5360, Mw5360 Firmware | 2025-06-04 | N/A | 9.8 CRITICAL |
| NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page. | |||||
| CVE-2024-22903 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-04 | N/A | 8.8 HIGH |
| Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function. | |||||
| CVE-2024-22529 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-06-04 | N/A | 9.8 CRITICAL |
| TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. | |||||
| CVE-2025-48936 | 1 Zitadel | 1 Zitadel | 2025-06-04 | N/A | 8.8 HIGH |
| Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2. | |||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2025-06-03 | N/A | 9.8 CRITICAL |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | |||||
| CVE-2023-48842 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi. | |||||
| CVE-2023-52039 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function. | |||||
| CVE-2024-22663 | 1 Totolink | 2 A3700r, A3700r Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg | |||||
| CVE-2023-50274 | 1 Hp | 1 Oneview | 2025-05-30 | N/A | 7.8 HIGH |
| HPE OneView may allow command injection with local privilege escalation. | |||||
| CVE-2023-52038 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-05-30 | N/A | 9.8 CRITICAL |
| An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function. | |||||
| CVE-2024-22545 | 1 Trendnet | 2 Tew-824dru, Tew-824dru Firmware | 2025-05-29 | N/A | 7.8 HIGH |
| An issue was discovered in TRENDnet TEW-824DRU version 1.04b01, allows unauthenticated attackers to execute arbitrary code via the system.ntp.server parameter in the sub_420AE0() function. The attack can be launched remotely. | |||||
| CVE-2023-51833 | 1 Trendnet | 2 Tew-411brpplus, Tew-411brpplus Firmware | 2025-05-29 | N/A | 8.1 HIGH |
| A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page. | |||||
| CVE-2024-12986 | 1 Draytek | 4 Vigor2960, Vigor2960 Firmware, Vigor300b and 1 more | 2025-05-28 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1845 | 1 Esafenet | 1 Dsm | 2025-05-28 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Affected by this vulnerability is the function examExportPDF of the file /admin/plan/examExportPDF. The manipulation of the argument s leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-49437 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2025-05-28 | N/A | 9.8 CRITICAL |
| Tenda AX12 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'list' parameter at /goform/SetNetControlList. | |||||
| CVE-2023-40301 | 1 Netscout | 1 Ngeniuspulse | 2025-05-28 | N/A | 9.8 CRITICAL |
| NETSCOUT nGeniusPULSE 3.8 has a Command Injection Vulnerability. | |||||
| CVE-2025-3249 | 1 Totolink | 2 A6000r, A6000r Firmware | 2025-05-28 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected by this vulnerability is the function apcli_cancel_wps of the file /usr/lib/lua/luci/controller/mtkwifi.lua. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||