CVE-2026-30311

Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations...

CVE-2026-5125 raine consult-llm-mcp server.ts child_process.execSync os command injection

A vulnerability was detected in raine consult-llm-mcp up to 2.5.3. Affected by this vulnerability is the function childprocess.execSync of the file src/server.ts. The manipulation of the argument gitdiff.baseref/gitdiff.files results in os command injection. The attack is only possible with local...

EUVD-2026-16600

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

Multiple vulnerabilities in BUFFALO Wi-Fi routers

Overview Wi-Fi router products provided by BUFFALO INC. contain multiple vulnerabilities listed below. Dependency on vulnerable third-party component CWE-1395 - This issue is caused by a vulnerability in minihttpd CVE-2015-1548. OS command injection CWE-78 - CVE-2026-27650 Code injection CWE-94 -...

CVE-2026-30303

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30302

The CVE-2026-30302 entry describes an OS Command Injection in CodeRider-Kilo’s command auto-approval module. The root cause is the use of a Unix-based shell-quote parser to analyze Windows commands and improper handling of Windows CMD escape sequences (^). Attackers can craft payloads such as git...

PT-2026-28646

Name of the Vulnerable Software and Affected Versions NEC Platforms, Ltd. Aterm Series affected versions not specified Description An OS Command Injection issue exists in NEC Platforms, Ltd. Aterm Series. This allows a malicious actor to execute arbitrary OS commands through the network...

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

CVE-2026-31386

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege...

thingino-firmware 操作系统命令注入漏洞

thingino-firmware is an open-source firmware developed by Paul Philippov for specific SoC IP cameras. Versions of thingino-firmware up to firmware-2026-03-16 contained a vulnerability related to operating system command injection. This vulnerability stemmed from unvalidated os commands in the WiF...

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the commb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383...

Exploit for OS Command Injection in Apache Tomcat

ISM.bat RCE Exploit PoC script for unauthenticated Remote Cod...

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Summary The uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacker can influence the LinkedIn API response via MITM, compromis...

PT-2026-26364

Microsoft Bing Images Remote Code Execution Vulnerability CVE: CVE-2026-32191 PT-Identifier: PT-2026-26364 Vendor: Microsoft Product: Microsoft Bing Images CVSS: 9.8 Credits: n/a Description: Improper neutralization of special elements used in an os command 'os command injection' in Microsoft Bin...

CVE-2026-32298

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands...

CVE-2026-32298

Technical details (affected product/component/versions/root cause/impact) are not present in the connected documents. The provided Initial Description notes a vulnerability in Angeet ES3 KVM related to cfg.lua sanitation, but no concrete technical specifics are supplied here. Monitor for updates.

CVE-2026-25817

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway,...

CVE-2025-70039

An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223...

PT-2026-24088

An issue pertaining to CWE-78: Improper Neutralization of Special Elements used in an OS Command was discovered in linagora Twake v2023.Q1.1223...