Web-Check < 2.0.1 Screenshot API - OS Command Injection

Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. id: CVE-2025-32778 info: name: Web-Check 2.0.1 Screenshot API - OS Command Injection author:...

CVE-2026-49492

The CVE-2026-49492 entry concerns Markdown Preview Enhanced (pre-0.8.28) which opens external files/links from the preview via a shell and does not validate untrusted inputs from the markdown document (e.g., diagram filename attribute, imported file paths, latex_engine code-chunk attribute). On W...

CVE-2026-8037

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints...

CVE-2025-41275

The CVE-2025-41275 entry concerns Waterfall WF-500 TX and RX Hosts (Console WebUI) with a CWE-78 OS command injection in version 7.9.1.0 R2502171040. The root cause is improper neutralization of special elements in the OS command flow, enabling remote unauthenticated attackers to execute arbitrar...

EUVD-2025-209994

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating...

EUVD-2025-209989

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating...

CVE-2025-41265

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating syste...

PT-2026-44808

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating...

CVE-2026-45322

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

UBUNTU-CVE-2026-48687

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The log function in src/juniperplugin/fastnetmonjuniper.php lines 117-118 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

CVE-2026-9437 DTStack Taier REST API Runtime.exec os command injection

A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may ...

CVE-2026-8652

An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network...

CVE-2026-9387

CVE-2026-9387 affects Totolink A8000RU Web Management, specifically the /cgi-bin/cstecgi.cgi function setUpgradeFW. The vulnerability arises from manipulation of the resetFlags argument, leading to OS command injection. Impact is described as remote, with high confidentiality, integrity, and avai...

CVE-2026-9386 Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection

A vulnerability was identified in Totolink A8000RU 7.1cu.643b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote...

TOTOLINK A8000RU 操作系统命令注入漏洞

TOTOLINK A8000RU is a wireless router produced by TOTOLINK, a Chinese company. The TOTOLINK A8000RU 7.1cu.643b20200521 version contains a vulnerability related to operating system command injection. This vulnerability stems from improper handling of the mode parameter in the setScheduleCfg functi...

CVE-2026-8603

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system...

GHSA-9VCR-G537-3W5V Fleet vulnerable to OS command injection in software packages

Summary A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. Impact When a software package .pkg, .deb, .rpm, .exe, or .msi is uploaded...

EUVD-2026-29941

ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required...

CVE-2026-42062

ELECOM wireless LAN access point devices are affected by an OS command injection in the processing of the username parameter. A crafted request can execute arbitrary OS commands with no authentication required. Affected versions are not explicitly listed in the provided documents; CVSS metrics in...

SUSE CVE-2026-7815

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with th...