MiracleLinux 8 : ruby:2.5 (AXSA:2021-2345:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2345:01 advisory. ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? CVE-2019-15845 ruby: Regular expression denial of service vulnerability of...

CVE-2021-47794

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a...

MiracleLinux 7 : patch-2.7.1-12.el7 (AXSA:2019-4344:02)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2019-4344:02 advisory. patch: doedscript in pch.c does not block strings beginning with a ! character CVE-2018-20969 patch: OS shell command injection when processing...

CVE-2021-47794

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a...

CVE-2021-47794 ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a...

CVE-2021-47794 ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a...

CVE-2021-47794

CVE-2021-47794 affects ZesleCP 3.1.9. An authenticated attacker can exploit the FTP account creation endpoint to inject a reverse shell command, enabling remote code execution via shell injection in the created FTP accounts. The vulnerability is network-based with low attack complexity and requir...

PT-2026-3166

ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a...

MiracleLinux 8 : emacs-26.1-13.el8_10 (AXSA:2025-9716:02)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-9716:02 advisory. emacs: Shell Injection Vulnerability in GNU Emacs via Custom man URI Scheme CVE-2025-1244 Tenable has extracted the preceding description block directly from...

MiracleLinux 9 : emacs-27.2-11.el9_5.1 (AXSA:2025-9715:01)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-9715:01 advisory. emacs: Shell Injection Vulnerability in GNU Emacs via Custom man URI Scheme CVE-2025-1244 Tenable has extracted the preceding description block directly from...

CVE-2023-50445

Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the getsystemlog and...

CVE-2018-19168

Shell Metacharacter Injection in www/modules/save.php in FruityWifi aka PatatasFritas/PatataWifi through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted modname parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid...

CVE-2019-11627

gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains an unsafe shell call enabling shell injection via a User ID...

CVE-2020-24354

Zyxel VMG5313-B30B router on firmware 5.13ABCJ.6b31127, and possibly older versions of firmware are affected by shell injection...

CVE-2025-6225

Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in version 9.40.02...

CVE-2025-6225

CVE-2025-6225 affects Kieback&Peter Neutrino-GLT. The web component SM70 PHWEB has a shell command injection flaw through the login form, allowing injected commands to execute with low privileges . The vulnerability is mitigated in version 9.40.02 . Public exploitation details are not provided in...

Command Injection via Malicious Model Artifacts

A command injection vulnerability exists in MLflow's model serving container initialization code. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and directly interpolates them into a shell command without...

abrt: Command-injection in ABRT leading to local privilege escalation

A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command docker inspect %s without proper validation. An unprivileged local user can craft a payload that injects shell...

SUSE CVE-2025-12744

A flaw was found in the ABRT daemon's handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command docker inspect %s without proper validation. An unprivileged local user can craft a payload that injects shell...

GHSA-WVXP-JP4W-W8WG mcp-server-kubernetes has potential security issue in exec_in_pod tool

Summary A security issue exists in the execinpod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation sh -c without input validation, allowing shell...