CVE-2025-53107 @cyanheads/git-mcp-server vulnerable to command injection in several tools

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to childprocess.exec, enabling an attacker to inject arbitrary system commands...

CVE-2025-34054

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgiquery. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence wa...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the erroneous implementation of the allowlist process. An attacker can gain unauthorized access to execute arbitrary shell commands by bypassing configured restrictions. This may result in exposure or...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the erroneous implementation of the allowlist process. An attacker can gain unauthorized access to execute arbitrary shell commands by bypassing configured restrictions. This may result in exposure or...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the erroneous implementation of the allowlist process. An attacker can gain unauthorized access to execute arbitrary shell commands by bypassing configured restrictions. This may result in exposure or...

PT-2025-27498 · Unknown · Git-Mcp-Server

Name of the Vulnerable Software and Affected Versions: git-mcp-server versions prior to 2.1.5 Description: A command injection vulnerability exists in the git-mcp-server MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child process.exec, enablin...

PT-2025-27006 · Unknown · Filebrowser

Name of the Vulnerable Software and Affected Versions: File Browser version 2.32.0 Description: The issue concerns the Command Execution feature in File Browser, which allows the execution of shell commands predefined on a user-specific allowlist. However, many tools can execute arbitrary command...

CVE-2025-34035

Summary: CVE-2025-34035 affects EnGenius EnShare Cloud Service

CVE-2025-52969

...

CVE-2025-52969

...

VulnCheck KEV: CVE-2025-34035

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected...

PT-2025-26622 · Unknown +1 · Clickhouse +1

Name of the Vulnerable Software and Affected Versions: ClickHouse version 25.7.1.557 Description: The issue allows low-privileged users to execute shell commands by querying existing Executable tables created by higher-privileged users. There is no access control preventing low-privileged users...

CVE-2025-34029 Edimax EW-7438RPn Mini OS Command Injection via syscmd.asp

An OS command injection vulnerability exists in the Edimax EW-7438RPn Mini firmware version 1.13 and prior via the syscmd.asp form handler. The /goform/formSysCmd endpoint exposes a system command interface through the sysCmd parameter. A remote authenticated attacker can submit arbitrary shell...

EulerOS 2.0 SP13 : emacs (EulerOS-SA-2025-1629)

According to the versions of the emacs package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands o...

[SECURITY] [DLA 4206-1] asterisk security update

Debian LTS Advisory DLA-4206-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany June 02, 2025 https://wiki.debian.org/LTS Package : asterisk Version : 1:16.28.0dfsg-0+deb11u7 CVE ID : CVE-2025-47779 CVE-2025-47780 Debian Bug : 1106528 1106530 Two security...

CVE-2024-33503

A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of...

CVE-2024-28335

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is...

CVE-2023-39517

Joplin is a free, open source note taking and to-do application. A Cross site scripting XSS vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer packages/renderer/htmlUtils.ts::sanitizeHtml preserves links. However,...

CVE-2023-38294

Certain software builds for the Itel Vision 3 Turbo Android device contain a vulnerable pre-installed app with a package name of com.transsion.autotest.factory versionCode='7', versionName='1.8.02203101027' that allows local third-party apps to execute arbitrary shell commands in its context syst...

CVE-2023-26203

A use of hard-coded credentials vulnerability CWE-798 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands...