CVE-2025-50974

The Calamaris log exporter CGI /cgi-bin/logs.cgi/calamaris.dat in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of...

Spree Commerce is vulnerable to RCE through Search API

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...

Linux Distros Unpatched Vulnerability : CVE-2017-14100

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5,...

CVE-2025-20265

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center FMC Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. This vulnerability is due to a lack of proper handling of user input...

CVE-2012-10037

PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server's context. No...

CVE-2025-2611

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are know...

CVE-2013-10049

An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone paramet...

NewStart CGSL MAIN 7.02 : patch Multiple Vulnerabilities (NS-SA-2025-0205)

The remote NewStart CGSL host, running version MAIN 7.02, has patch packages installed that are affected by multiple vulnerabilities: - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload...

VulnCheck KEV: CVE-2025-34068

An unauthenticated remote command execution vulnerability exists in Samsung WLAN AP WEA453e firmware prior to version 5.2.4.T1 via improper input validation in the “Tech Support” diagnostic functionality. The command1 and command2 POST or GET parameters accept arbitrary shell commands that are...

GHSA-GJV4-GHM7-Q58Q MCP Server Kubernetes vulnerable to command injection in several tools

Summary A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to...

Exploit for Injection in Cisco Identity_Services_Engine

CVE-2025-20281-2-Cisco-ISE-RCE Unauthenticated Python PoC for...

CVE-2024-40089

A Command Injection vulnerability in Vilo 5 Mesh WiFi System = 5.16.1.33 allows remote, authenticated attackers to execute arbitrary code by injecting shell commands into the name of the Vilo device...

CVE-2024-47219

An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection...

CVE-2023-26490

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to...

CVE-2021-42372

A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the service...

CVE-2019-10780

BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open...

CVE-2019-13624

In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command...

CVE-2017-9828

'/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK Network Camera...

CVE-2025-32821

A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance...

CVE-2025-32821

CVE-2025-32821 (SonicWall SMA100) is a post-authentication command-injection/file-write vulnerability in the SMA100 SSL-VPN. An admin user can inject shell arguments to write a file anywhere the nobody user can write to, potentially enabling root-level remote code execution when chained with CVE-...