CVE-2025-53534 RatPanel can perform remote command execution without authorization

RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel including but not limited to weak default paths, brute-force cracking, etc., they can execute system commands or take over hosts managed b...

GPT-SoVITS-WebUI 命令注入漏洞

GPT-SoVITS-WebUI is a TTS training model. A command injection vulnerability exists in the GPT-SoVITS-WebUI openslice function, which can be exploited by an attacker to execute arbitrary commands on the system...

Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default...

Remote Code Execution (RCE)

org.conductoross, conductor-core is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper access control over Java class execution, which allows attackers to invoke system-level commands...

CVE-2025-34039 Yonyou NC BeanShell Command Injection

A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet bsh.servlet.BshServlet without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This...

CVE-2024-9166

The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access...

CVE-2024-48074

An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command is executed by the system function...

CVE-2021-41738

ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands...

CVE-2020-29390

Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character...

CVE-2019-14514

An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup this is unrelated to Red Hat's systemd init program, and is a closed-source proprietar...

CVE-2019-16733

processCommandSetUid in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user...

CVE-2019-17270

Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command=COMMAND" page and parameter, where COMMAND will be executed and returning the results to the client. Affects Yachtcontrol webservers disclos...

F5 iControl REST和F5 BIG-IP TMOS Shell 命令注入漏洞

F5 iControl REST and F5 BIG-IP TMOS Shell are both products of F5 Corporation, U.S.A. F5 iControl REST is a development framework. and F5 BIG-IP TMOS Shell is a command line. A command injection vulnerability exists in F5 iControl REST and F5 BIG-IP TMOS Shell that stems from command injection an...

CVE-2022-1367

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in HandlerTCV.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

CVE-2022-1372

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in dlSlog.aspx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

CVE-2024-28138

An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msgevents.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized...

CVE-2024-7694

ThreatSonar Anti-Ransomware (TeamT5) suffers an unrestricted file upload vulnerability: uploaded files are not properly validated, enabling remote attackers with administrator privileges to upload malicious files and execute arbitrary system commands on the server. Impact is high (arbitrary code ...

CVE-2024-29975

UNSUPPORTED WHEN ASSIGNED The improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 firmware versions before V5.21AAZF.17C0 and NAS542 firmware versions before V5.21ABAG.14C0 could allow an authenticated local attacker with administrator privileges to execute...

CVE-2024-4267

The CVE-2024-4267 entry concerns parisneo/lollms-webui version 9.5, in the open_file (open file) function. The root cause is improper neutralization of elements in a user-controlled file path used by subprocess.Popen, allowing command injection. This enables remote code execution where an attacke...

CVE-2024-20360

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately...