CVE-2026-10872

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function startvpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used...

CVE-2026-20245 Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplyi...

CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings

nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...

EUVD-2026-34303

nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...

CVE-2026-10796

nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...

CVE-2026-10796

Vulnerability summary (CVE-2026-10796) : nvm (Node Version Manager)

CVE-2026-35906

An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string...

RLSA-2026:21676 Important: cockpit security update

Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more. Security Fixes: cockpit: Cockpit: Arbitrary command execution via crafted links in...

cockpit security update

An update is available for cockpit. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Cockpit enables users to administer GNU/Linux servers using a web browser. I...

CVE-2026-45431 Command Injection Vulnerability in GX Earth ONT Models

This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted...

CVE-2026-3820

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process...

CVE-2026-49188

The aicmd utility executes with full root permissions. It pipes socket inputs directly to popen, paving the way for unauthenticated users to execute arbitrary root commands...

CVE-2026-49188 Elevated Root Command Execution via ai_cmd Sockets

The aicmd utility executes with full root permissions. It pipes socket inputs directly to popen, paving the way for unauthenticated users to execute arbitrary root commands...

HTTP File Server <2.3c - Remote Command Execution

HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full...

RockyLinux 10 : cockpit (RLSA-2026:21676)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:21676 advisory. cockpit: Cockpit: Arbitrary command execution via crafted links in system logs UI CVE-2026-4802 Tenable has extracted the preceding description block directly...

PT-2026-46158

There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process...

CVE-2026-35906

CVE-2026-35906 affects T3 Technology CPE models T625Pro v1.0.07 and T6825G v1.0.03. The vulnerability stems from an undocumented debug CGI endpoint that is accessible without authentication, allowing an attacker to supply a crafted HTTP query string to execute arbitrary commands with root privile...

PT-2026-46242

An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string...

EUVD-2024-55605

launch-editor vulnerable to command injection via the crafted request on Windows...

MAL-2026-5182 Malicious code in brave-search-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d7d65e78a73a4cc2064d0ab9210a76c7c55f69553b70879dd649d7ad84e48dc0 The OpenSSF Package Analysis project identified 'brave-search-mcp-server' @ 1.0.0 npm as malicious. It is considered malicious because: - The...