Websvn <2.6.1 - Remote Code Execution

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter. id: CVE-2021-32305 info: name: Websvn 2.6.1 - Remote Code Execution author: gy741 severity: critical description: WebSVN before 2.6.1 allows remote attackers to execute...

Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection

Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. id: CVE-2021-42071 info: name: Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection author: gy741 severity: critical description: Visual...

Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection

Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to...

MovableType - Remote Command Injection

MovableType 5002 and earlier Movable Type Advanced 7 Series, Movable Type Advanced 6.8. 2 and earlier Movable Type Advanced 6 Series, Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified...

VoipMonitor <24.61 - Remote Code Execution

VoipMonitor prior to 24.61 is susceptible to remote code execution vulnerabilities because of its use of user supplied data via its web interface, allowing remote unauthenticated users to trigger a remote PHP code execution vulnerability. id: CVE-2021-30461 info: name: VoipMonitor 24.61 - Remote...

Eclipse BIRT Viewer - Remote Code Execution

Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters. id: CVE-2021-34427 info: name: Eclipse BIRT Viewer - Remote Code...

F5 BIG-IP Appliance Mode - Command Injection

When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. id: CVE-2022-41800 info: name: F5 BIG-IP Appliance Mode - Command Injection author: dwisiswant0 severity: high description...

Yachtcontrol Webapplication 1.0 - Remote Command Injection

Yachtcontrol Webapplication 1.0 makes it possible to perform direct operating system commands as an unauthenticated user via the "/pages/systemcall.php?command=COMMAND" page and parameter, where COMMAND will be executed and returning the results to the client. Affects Yachtcontrol webservers...

Webmin < 1.920 - Authenticated Remote Code Execution

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must...

D-Link DNS-320 - Remote Code Execution

The loginmgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection. id: CVE-2019-16057 info: name: D-Link DNS-320 - Remote Code Execution author: DhiyaneshDk severity: critical description: | The loginmgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerabl...

Apache Dubbo 2.5.x-2.7.4 - Insecure Deserialization

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4,...

mongo-express Remote Code Execution

mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the toBSON method and misuse the vm dependency to perform exec commands in a non-safe environment. id: CVE-2019-10758 info: name: mongo-express Remote Code Execution author: princechaddha severity: critical...

Atlassian Confluence Download Attachments - Remote Code Execution

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this pat...

Rosario Student Information System Unauthenticated SQL Injection

An unauthenticated SQL injection vulnerability in Rosario Student Information System aka rosariosis 8.1 and below allow remote attackers to execute PostgreSQL statements e.g., SELECT, INSERT, UPDATE, and DELETE through /Side.php via the syear parameter. id: CVE-2021-44427 info: name: Rosario...

Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection

Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead ...

APsystems ECU-R Firmware - Command Injection

Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter. id: CVE-2022-45699 info: name: APsystems ECU-R Firmware - Command Injection author: pussycat0x severity:...

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server. id: CVE-2021-28480 info: name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass...

NUUO Camera <=20250203 - OS Command Injection

NUUO Camera up to 20250203 contains a command injection caused by manipulation of the 'log' argument in /handleconfig.php, letting remote attackers execute arbitrary commands, exploit requires remote access. id: CVE-2025-1338 info: name: NUUO Camera =20250203 - OS Command Injection author: Ark...

Laravel Livewire v3 - Remote Command Execution

Livewire v3 Laravel contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution RCE without authentication under certain conditions. id: CVE-2025-54068 info: name: Laravel Livewire v3 - Remote Command Execution author: flame-11...

Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among...