1Panel agent certificate verification bypass leading to arbitrary command execution

Project Address: Project Address 1Panel Official website: https://www.1panel.cn/ Time: 2025 07 26 Version: 1panel V2.0.5 Vulnerability Summary - First, we introduce the concepts of 1panel v2 Core and Agent. After the new version is released, 1panel adds the node management function, which allows...

Cursor 命令注入漏洞

Cursor is an AI code editor from Cursor open source. A command injection vulnerability exists in Cursor versions prior to 1.3 that stems from an autorun mode that allows bypassing whitelisting, potentially leading to arbitrary command execution...

CVE-2025-52361

Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script which is executed with root-privileges on any interaction...

CVE-2025-52361

Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script which is executed with root-privileges on any interaction...

AK-Nord USB-Server-LXL Firmware 安全漏洞

AK-Nord USB-Server-LXL Firmware is a specialized firmware software from the German company AK-Nord. A security vulnerability exists in AK-Nord USB-Server-LXL Firmware version v0.0.16 Build 2023-03-13, which originates from improperly set permissions on the /etc/init.d/lighttpd script, which could...

CVE-2014-125123

An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel developed by LXCenter prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the...

CVE-2013-10039

A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ipcheckhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deploymen...

CVE-2013-10037 WebTester 5.x install2.php Unauthenticated Command Execution

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a...

Russound MBX-PRE-D67F 安全漏洞

Russound MBX-PRE-D67F is an audio streaming pre-amplifier from Russound USA. A security vulnerability exists in the Russound MBX-PRE-D67F version 3.1.6, which originates from OS command injection and could lead to the execution of arbitrary commands with root privileges...

PT-2025-31535 · Undefined · Undefined

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a...

PT-2025-37705

Name of the Vulnerable Software and Affected Versions: TOTOLINK X6000R version 9.4.0cu.1360 B20241207 Description: The vulnerability resides in the sub 417D74 function of the TOTOLINK X6000R router's firmware. The issue is due to a lack of data sanitization on the management level when processing...

CVE-2025-52284

Totolink X6000R V9.4.0cu.1360B20241207 was found to contain a command injection vulnerability in the sub4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request...

EUVD-2025-23014

Totolink X6000R V9.4.0cu.1360B20241207 was found to contain a command injection vulnerability in the sub4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request...

CVE-2019-25224

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system...

CVE-2025-54416

CVE-2025-54416 – tj-actions/branch-names has a concrete command-injection flaw in the GitHub Action outputs. The vulnerability stems from unsafe use of the pattern echo "... $(eval printf "%s" …)" to populate GITHUB_OUTPUT, allowing an attacker-controlled branch or tag name to inject commands dow...

GHSA-GQ52-6PHF-X2R6 tj-actions/branch-names has a Command Injection Vulnerability

Overview A critical vulnerability has been identified in the tj-actions/branch-names GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit special...

EUVD-2019-19374

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system...

PT-2025-30720 · Databasebackup +1 · Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp +1

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system...

Remote Code Execution (RCE)

dolibarr/dolibarr is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper input handling caused by insecure mechanisms that allow arbitrary command execution and access to sensitive files on the file system...

CVE-2025-53472

WRC-BE36QS-B and WRC-W701-B contain an improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability in WebGUI. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to WebGUI...