19581 matches found
CVE-2026-4611
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360B20241207/9.4.0cu.1498B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely...
EUVD-2026-14457
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit...
CVE-2026-4591
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit...
Exploit for OS Command Injection in Arcane
CVE-2026-23520 MCP API Remote Command Execution RCE Proo...
CVE-2026-4591 kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit...
CVE-2026-4585
A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command...
CVE-2026-4585 Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection
A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File leads to os command...
CVE-2026-4585
Tiandy Easy7 Integrated Management Platform up to 7.17.0 is affected by CVE-2026-4585. The vulnerability resides in the Configuration Handler, specifically the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp, where manipulation of the File argument leads to an OS command injection. The ...
PT-2026-27143
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit...
PT-2026-27220
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360 B20241207/9.4.0cu.1498 B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely...
PT-2026-27217
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP Model Context Protocol server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4...
VulnCheck KEV: CVE-2020-9374
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature...
RHEL 9 : python3.9 (RHSA-2026:5218)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:5218 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...
EUVD-2026-14333
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. T...
CVE-2026-4558
CVE-2026-4558 affects Linksys MR9600 (firmware 2.0.6.206937). The vulnerability lies in the SmartConnect.lua function smartConnectConfigure, where manipulation of the arguments configApSsid, configApPassphrase, srpLogin, or srpPassword can lead to an OS command injection. The attack can be launch...
CVE-2026-4558 Linksys MR9600 SmartConnect.lua smartConnectConfigure os command injection
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. T...
CVE-2026-4558
A flaw has been found in Linksys MR9600 2.0.6.206937. Affected is the function smartConnectConfigure of the file SmartConnect.lua. Executing a manipulation of the argument configApSsid/configApPassphrase/srpLogin/srpPassword can lead to os command injection. The attack may be launched remotely. T...
CVE-2026-33319
WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacke...
CVE-2026-4554 Tenda F453 WriteFacMac FormWriteFacMac privilege escalation
A security flaw has been discovered in Tenda F453 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been released to the...
CVE-2026-33319
WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacke...