CVE-2026-30303

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

CVE-2026-31386

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege...

thingino-firmware 操作系统命令注入漏洞

thingino-firmware is an open-source firmware developed by Paul Philippov for specific SoC IP cameras. Versions of thingino-firmware up to firmware-2026-03-16 contained a vulnerability related to operating system command injection. This vulnerability stemmed from unvalidated os commands in the WiF...

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the commb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383...

Exploit for OS Command Injection in Apache Tomcat

ISM.bat RCE Exploit PoC script for unauthenticated Remote Cod...

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Summary The uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacker can influence the LinkedIn API response via MITM, compromis...

PT-2026-26364

Microsoft Bing Images Remote Code Execution Vulnerability CVE: CVE-2026-32191 PT-Identifier: PT-2026-26364 Vendor: Microsoft Product: Microsoft Bing Images CVSS: 9.8 Credits: n/a Description: Improper neutralization of special elements used in an os command 'os command injection' in Microsoft Bin...

CVE-2026-32298

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands...

CVE-2026-32298

Technical details (affected product/component/versions/root cause/impact) are not present in the connected documents. The provided Initial Description notes a vulnerability in Angeet ES3 KVM related to cfg.lua sanitation, but no concrete technical specifics are supplied here. Monitor for updates.

CVE-2026-25817

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway,...

PT-2026-24088

An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223...

CVE-2025-70039

An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223...

CVE-2026-3696

A vulnerability was found in Totolink N300RH 6..1c.1353B20190305. The affected element is the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has...

CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration...

CVE-2025-59783 OS Command Injection over API

API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2025-50195

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30...

CVE-2025-52365

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

PT-2026-22661

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availabili...