CVE-2025-23196

A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using sh -c. An attacker with authenticated...

CVE-2026-22035

Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format to insert user-controlled filenames directly into she...

CVE-2026-22035

CVE-2026-22035 affects Greenshot for Windows. Versions 1.3.310 and earlier are vulnerable to an OS Command Injection through unsanitized filename processing in the ExternalCommandDestination.FormatArguments() function (line 269), which uses string.Format() to insert user-controlled filenames dire...

Command Injection

Serverless Framework is vulnerable to Command Injection. The vulnerability is due to unsanitized user input being passed to childprocess.exec in the experimental MCP server feature, which allows an attacker to inject shell metacharacters and execute arbitrary system commands with the privileges o...

CVE-2015-10145

Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/runcommands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary she...

EUVD-2025-205851

serverless MCP Server vulnerable to Command Injection in list-projects tool...

CVE-2015-10145

Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/runcommands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary she...

CVE-2025-69256

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This...

EUVD-2005-4893

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graphview.php script. An authenticated user can inject arbitrary shell commands via the graphstart GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute...

CVE-2025-65008

In WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of...

CVE-2023-53940

Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js childprocess module when the fil...

PT-2025-52319

Name of the Vulnerable Software and Affected Versions Codigo Markdown Editor version 1.0.1 Description The software contains a code execution issue that permits attackers to execute arbitrary system commands by creating a malicious markdown file. An attacker can embed a video source with an onerr...

EUVD-2025-204009

Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol MCP configurations from the settings.json file located within a project’s .zed subdirectory. A malicious MCP configuration can contain arbitrary shell...

Improper Restriction Of Command Execution

org.jenkins-ci.plugins, azure-cli is vulnerable to improper restriction of command execution. The vulnerability is due to insufficient validation of executed commands, which allows an attacker with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller...

EUVD-2024-55324

dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation...

Fireshare 命令注入漏洞

Fireshare is a media hosting software by the individual developer Shane Israel. A command injection vulnerability exists in Fireshare versions 1.2.30 and earlier, which stems from uploading a video file with the filename spliced directly into a shell command, which could lead to remote code...

CVE-2024-58286

CVE-2024-58286 affects dizqueTV 1.5.3. The flaw allows remote code execution by altering the FFMPEG Executable Path via improper input validation, enabling shell commands to read files (e.g., /etc/passwd). Public details across sources confirm the component and impact but do not provide a confirm...

CVE-2025-12744

A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command docker inspect %s without proper validation. An unprivileged local user can craft a payload that injects shell...

Opto 22 GRV-EPIC and groov RIO

RISK EVALUATION Successful exploitation of this vulnerability could result in the execution of arbitrary shell commands with root privileges. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize...

Lite XL 安全漏洞

Lite XL is a lightweight text editor from lite-xl open source. A security vulnerability exists in Lite XL 2.1.8 and earlier versions, which stems from a failure to clean up shell command constructs in the system.exec function, which could lead to the execution of arbitrary commands...