Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41751 | 3 Debian, Fedoraproject, Jhead Project | 3 Debian Linux, Fedora, Jhead | 2025-05-13 | N/A | 7.8 HIGH |
| Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option. | |||||
| CVE-2023-44421 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetTriggerPPPoEValidate Username Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the prog.cgi program, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21101. | |||||
| CVE-2023-44422 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetSysEmailSettings EmailFrom Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the prog.cgi program, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21102. | |||||
| CVE-2023-44425 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetSysEmailSettings AccountName Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21159. | |||||
| CVE-2023-44424 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetSysEmailSettings EmailTo Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21158. | |||||
| CVE-2023-44426 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetSysEmailSettings AccountPassword Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21160. | |||||
| CVE-2023-44427 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetSysEmailSettings SMTPServerAddress Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21222. | |||||
| CVE-2023-44423 | 1 Dlink | 2 Dir-x3260, Dir-x3260 Firmware | 2025-05-13 | N/A | 8.0 HIGH |
| D-Link DIR-X3260 SetTriggerPPPoEValidate Password Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the prog.cgi program, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21157. | |||||
| CVE-2025-4032 | 1 Inclusionai | 1 Aworld | 2025-05-10 | N/A | 8.1 HIGH |
| A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2022-43184 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2025-05-08 | N/A | 9.8 CRITICAL |
| D-Link DIR878 1.30B08 Hotfix_04 was discovered to contain a command injection vulnerability via the component /bin/proc.cgi. | |||||
| CVE-2020-17384 | 1 Cellopoint | 1 Cellos | 2025-05-08 | 9.0 HIGH | 7.2 HIGH |
| Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system. | |||||
| CVE-2022-35132 | 1 Webmin | 1 Usermin | 2025-05-07 | N/A | 8.8 HIGH |
| Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module. | |||||
| CVE-2022-31898 | 1 Gl-inet | 4 Gl-ax1800, Gl-ax1800 Firmware, Gl-mt300n-v2 and 1 more | 2025-05-07 | N/A | 6.8 MEDIUM |
| gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters. | |||||
| CVE-2024-30247 | 1 Nextcloud | 1 Nextcloudpi | 2025-05-07 | N/A | 9.8 CRITICAL |
| NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1. | |||||
| CVE-2022-42055 | 1 Gl-inet | 1 Goodcloud | 2025-05-07 | N/A | 6.5 MEDIUM |
| Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system. | |||||
| CVE-2022-44019 | 1 Totaljs | 1 Total.js | 2025-05-07 | N/A | 8.8 HIGH |
| In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. | |||||
| CVE-2022-42999 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-07 | N/A | 7.5 HIGH |
| D-Link DIR-816 A2 1.10 B05 was discovered to contain multiple command injection vulnerabilities via the admuser and admpass parameters at /goform/setSysAdm. | |||||
| CVE-2022-29851 | 1 Open-xchange | 1 Ox App Suite | 2025-05-07 | N/A | 9.8 CRITICAL |
| documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document. | |||||
| CVE-2024-0166 | 1 Dell | 1 Unity Operating Environment | 2025-05-06 | N/A | 7.8 HIGH |
| Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_tcpdump utility. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands with elevated privileges. | |||||
| CVE-2018-18600 | 1 Guardzilla | 4 180 Indoor, 180 Indoor Firmware, 180 Outdoor and 1 more | 2025-05-06 | 9.3 HIGH | 8.1 HIGH |
| The remote upgrade feature in Guardzilla GZ180 devices allow command injection via a crafted new firmware version parameter. | |||||