Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11138 | 1 Quest | 1 Kace System Management Appliance | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. | |||||
| CVE-2022-44877 | 1 Control-webpanel | 1 Webpanel | 2025-03-14 | N/A | 9.8 CRITICAL |
| login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | |||||
| CVE-2019-15107 | 1 Webmin | 1 Webmin | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability. | |||||
| CVE-2019-12991 | 1 Citrix | 2 Netscaler Sd-wan, Sd-wan | 2025-03-14 | 9.0 HIGH | 8.8 HIGH |
| Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6). | |||||
| CVE-2019-11001 | 1 Reolink | 10 C1 Pro, C1 Pro Firmware, C2 Pro and 7 more | 2025-03-14 | 9.0 HIGH | 7.2 HIGH |
| On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field. | |||||
| CVE-2018-14839 | 1 Lg | 2 N1a1, N1a1 Firmware | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters. | |||||
| CVE-2016-11021 | 1 Dlink | 2 Dcs-930l, Dcs-930l Firmware | 2025-03-14 | 9.0 HIGH | 7.2 HIGH |
| setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter. | |||||
| CVE-2019-16057 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection. | |||||
| CVE-2020-9377 | 1 Dlink | 2 Dir-610, Dir-610 Firmware | 2025-03-14 | 6.5 MEDIUM | 8.8 HIGH |
| D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-16846 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. | |||||
| CVE-2020-8816 | 1 Pi-hole | 1 Pi-hole | 2025-03-14 | 6.5 MEDIUM | 7.2 HIGH |
| Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. | |||||
| CVE-2020-12641 | 2 Opensuse, Roundcube | 3 Backports Sle, Leap, Webmail | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |||||
| CVE-2021-27102 | 1 Accellion | 1 Fta | 2025-03-14 | 7.2 HIGH | 7.8 HIGH |
| Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later. | |||||
| CVE-2020-25506 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | |||||
| CVE-2024-57012 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-03-14 | N/A | 8.8 HIGH |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setScheduleCfg. | |||||
| CVE-2017-6334 | 1 Netgear | 5 Dgn2200 Series Firmware, Dgn2200v1, Dgn2200v2 and 2 more | 2025-03-14 | 9.0 HIGH | 8.8 HIGH |
| dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077. | |||||
| CVE-2017-6077 | 1 Netgear | 2 Dgn2200, Dgn2200 Firmware | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request. | |||||
| CVE-2017-18368 | 2 Billion, Zyxel | 6 5200w-t, 5200w-t Firmware, P660hn-t1a V1 and 3 more | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter. | |||||
| CVE-2023-34281 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-03-13 | N/A | 8.0 HIGH |
| D-Link DIR-2150 GetFirmwareStatus Target Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20561. | |||||
| CVE-2023-34280 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-03-13 | N/A | 8.0 HIGH |
| D-Link DIR-2150 SetSysEmailSettings EmailTo Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20559. | |||||