CVE-2025-54595

Pearcleaner (macOS) ships a privileged helper PearcleanerHelper that registers an XPC service (com.alienator88.Pearcleaner.PearcleanerHelper) and accepts unauthenticated connections from any local process. Versions 4.4.0–4.5.1 allow a method to execute arbitrary shell commands, enabling local unp...

CVE-2025-54595 Pearcleaner's unauthenticated access to privileged XPC helper allows root command execution

Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. The PearcleanerHelper is a privileged helper tool bundled with the Pearcleaner application. It is registered and activated only after the user approves a system prompt to allow privileged operations. Upon approval, th...

VulnCheck KEV: CVE-2020-2034

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if...

CVE-2025-46811 SUSE Multi Linux Manager allows code execution via unprotected websocket endpoint

A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x8664/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image...

CVE-2025-41684 Weidmueller: Root Command Injection via Unsanitized Input in tls_iotgen_setting Endpoint

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface endpoint tlsiotgensetting...

CVE-2025-41684

An authenticated remote attacker can execute arbitrary commands with root privileges via the tls_iotgen_setting endpoint in the Main Web Interface of affected Apache IoT devices. Root cause is improper sanitizing of user input, enabling command injection. Impact is full control of the device at r...

CVE-2025-41683 Weidmueller: Root Command Injection via Unsanitized Input in event_mail_test Endpoint

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface endpoint eventmailtest...

CVE-2025-41683 Weidmueller: Root Command Injection via Unsanitized Input in event_mail_test Endpoint

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface endpoint eventmailtest...

CVE-2025-46117

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script .apdebug.sh invoked from the restricted CLI does not properly sanitize its input, allowing an authenticated attacker to...

CVE-2025-52690

Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point...

Alcatel-Lucent Enterprise AP1361D Wi-Fi Access Point 安全漏洞

The Alcatel-Lucent Enterprise AP1361D Wi-Fi Access Point is a WiFi access point from Alcatel-Lucent Enterprise, France. A security vulnerability exists in the Alcatel-Lucent Enterprise AP1361D Wi-Fi Access Point that originates from the possibility of executing arbitrary commands with root...

Vulnerabilities fixed in Palo Alto PAN OS

Palo Alto Networks has fixed vulnerabilities in PAN-OS. The vulnerabilities include an information leak in the SD-WAN feature, which allows unauthorized users to intercept packets and access unsecured data from the firewall. This poses a risk to sensitive information being transmitted. In additio...

CVE-2025-34055

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed...

CVE-2025-34056 AVTECH IP camera, DVR, and NVR Devices Authenticated Root Command Execution

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without...

CVE-2025-34055

The CVE-2025-34055 issue affects AVTECH AVTECH IP cameras, DVRs, and NVRs exposing the adcommand.cgi endpoint that talks to the ActionD daemon. Authenticated users can call DoShellCmd and pass arbitrary input via strCmd; this input is executed by the system shell without sanitation, allowing comm...

CVE-2025-34054

AVTECH DVR devices are affected by CVE-2025-34054, an unauthenticated command injection via Search.cgi?action=cgi_query. The vulnerability stems from using wget without input sanitization, allowing an attacker to inject shell commands through the username or queryb64str parameters and execute the...

CVE-2025-5459

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0...

CVE-2025-5459 OS Command Injection

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0...

PT-2025-26943 · Puppet · Puppet Enterprise

Name of the Vulnerable Software and Affected Versions: Puppet Enterprise versions 2018.1.8 through 2023.8.3 Puppet Enterprise version 2025.3 Description: A user with specific node group editing permissions and a specially crafted class parameter could execute commands as root on the primary host...

CVE-2025-26412

The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT commands...