CVE-2023-27198

PAX A930 device with PayDroid7.1.1VirgoV04.5.0220220722 can allow the execution of arbitrary commands by using the exec service and including a specific word in the command to be executed. The attacker must have physical USB access to the device in order to exploit this vulnerability...

The vulnerability of the /goform/UserCongratulationsExec file in the Tenda AC10 router microprogramming system allows a hacker to execute arbitrary code.

The vulnerability of the /goform/UserCongratulationsExec microprogramming system for Tenda AC10 routers lies in the copying of buffers without checking the size of the input data. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

CVE-2021-39367

Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection...

CVE-2021-39368

Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter...

CVE-2021-27877

An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this schem...

CVE-2020-23151

rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped...

CVE-2013-4678

The NDMP protocol implementation in Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 allows remote authenticated users to obtain sensitive host-version information via unspecified vectors...

CVE-2011-3626

Double free vulnerability in the prepareexec function in src/exec.c in Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 and earlier, allows remote attackers to execute arbitrary commands via crafted strings in a log file...

CVE-2019-20343

The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element within a plugin element can specify an arbitrary program in an executable element and can also specify arbitrary command-line arguments in an arguments element...

CVE-2019-10777

In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName"...

CVE-2019-10778

devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization...

CVE-2019-10783

All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input...

CVE-2005-4779

verifiedexecioctl in verifiedexec.c in NetBSD 2.0.2 calls NDINIT with UIOUSERSPACE rather than UIDSYSSPACE, which removes the functionality of the verified exec kernel subsystem and might allow local users to execute Trojan horse programs...

CVE-1999-0955

Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gain root access via the SITE EXEC command...

CVE-2025-4896

A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/UserCongratulationsExec. The manipulation of the argument getuid leads to buffer overflow. The attack may be launched remotely. The exploit has...

CVE-2025-28056

rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component...

Arbitrary Code Injection

Overview factool is a Factuality Detection for Generative AI Affected versions of this package are vulnerable to Arbitrary Code Injection through the runsingle and run functions in the class pythonexecutor due to using the exec function to execute user-provided input without any form of validatio...

The vulnerability of the exec() function in the icepay.php script of the MagnusBilling VoIP system allows a hacker to execute arbitrary commands.

The vulnerability of the exec function in the icepay.php script of the MagnusBilling VoIP system is related to the failure to take measures to neutralize special elements used in the operating system’s commands when processing the democ parameter. Exploiting this vulnerability allows a remote...

CVE-2025-22029

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2025-22029

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...