2589 matches found
CVE-2026-48017 DbGate: Remote Code Execution via functionName injection in loadReader endpoint
DbGate is cross-platform database manager. In versions 7.1.8 and prior, the POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user with basic access, ...
CVE-2026-11845 IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - OS Command Injection
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device...
CVE-2026-12059 Cellopoint|CelloOS - Improper Access Control
The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope...
CVE-2026-0419
CVE-2026-0419 describes insufficient input validation in NETGEAR JR6150 (AC750 WiFi Router, 802.11ac, dual-band; released 2014) that allows users on the local Wi‑Fi to execute operating system commands. The device is End-of-Support since 2018 with no planned security updates. The advisory notes t...
PT-2026-47823
Name of the Vulnerable Software and Affected Versions NETGEAR JR6150 affected versions not specified Description Insufficient input validation allows users connected to local WiFi networks to execute operating system commands. This issue was identified through firmware emulation in a controlled...
CVE-2023-54352 WordPress Seotheme Remote Code Execution Unauthenticated
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands...
CVE-2026-43680
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...
CVE-2026-31019
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...
CVE-2025-41275
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating...
CVE-2026-40135
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of...
CVE-2026-7461
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a...
CVE-2026-23821
A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying...
CVE-2026-32673
A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a...
CVE-2026-33277
An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user...
CVE-2026-2586
An authenticated Remote Code Execution RCE vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user...
CVE-2026-35482
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the...
CVE-2026-21837
HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover...
EUVD-2019-20165
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shellex...
T3 Technology CPE models 安全漏洞
T3 Technology CPE models are a series of 4G/5G customer premises equipment developed by the Thai company T3 Technology. There are security vulnerabilities in the T3 Technology CPE models version 1.0.07 and the T6825G version 1.0.03. These vulnerabilities stem from unrecorded debug CGI endpoints,...
CVE-2026-44477
A flaw was found in CloudNativePG's metrics exporter. The issue arises because the metrics exporter connected to PostgreSQL using a highly privileged account and did not properly restrict privileges during monitoring operations. A low-privileged database user could exploit this behavior through...