CVE-2025-44841

Summary of CVE-2025-44841 : TOTOLINK CA600-PoE (V5.3c.6665_B20180820) contains a command injection vulnerability in the CloudSrvUserdataVersionCheck function, exploitable via the version parameter. The vulnerability allows an attacker to execute arbitrary commands through a crafted request (attac...

CVE-2025-44837

TOTOLINK CPE CP900 v6.3c.1144_B20190715 contains a command injection in CloudSrvUserdataVersionCheck. The vulnerability allows executing arbitrary commands via crafted requests using the url or magicid parameters. Affected component: CloudSrvUserdataVersionCheck function (Totolink CP900). Exploit...

CVE-2025-44844

TOTOLINK CA600-PoE (V5.3c.6665_B20180820) has a command injection vulnerability in the setUpgradeFW function via the FileName parameter. This could allow an attacker to execute arbitrary commands on the device. PT-2025-18665 provides a mitigation suggesting disabling the setUpgradeFW function and...

TOTOLINK CA300-PoE 安全漏洞

TOTOLINK CA300-PoE is a wireless access point from China's Gion Electronics TOTOLINK. TOTOLINK CA300-PoE suffers from a command injection vulnerability that stems from the msgprocess function Url parameter failing to correctly filter constructive command special characters, commands, etc., which...

TOTOLINK CA300-PoE 安全漏洞

TOTOLINK CA300-PoE is a wireless access point from China's Gion Electronics TOTOLINK. The TOTOLINK CA300-PoE suffers from a command injection vulnerability that stems from the failure of the msgprocess function Port parameter to correctly filter constructed command special characters, commands,...

CVE-2025-44862

TOTOLINK CA300-POE V6.2c.884B20180522 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2025-44848

TOTOLINK CA600-PoE V5.3c.6665B20180820 was found to contain a command injection vulnerability in the msgprocess function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2025-44840

TOTOLINK CA600-PoE vulnerable due to a command injection in the CloudSrvUserdataVersionCheck function via the svn parameter on version 5.3c.6665_B20180820. This allows an attacker to execute arbitrary commands through a crafted request. A practical remediation from PT-2025-18661 suggests disablin...

CVE-2025-44854

TOTOLINK CP900 V6.3c.1144B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2025-44845

TOTOLINK CA600-PoE V5.3c.6665B20180820 was found to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2025-24351

The CVE-2025-24351 entry affects the ctrlX OS web application’s “Remote Logging” functionality. A remote authenticated (low-privileged) attacker can execute arbitrary OS commands in the context of user “root” via a crafted HTTP request. Reports consistently describe this as a root-level command e...

CVE-2025-24351

A vulnerability in the “Remote Logging” functionality of the web application of ctrlX OS allows a remote authenticated low-privileged attacker to execute arbitrary OS commands in the context of user “root” via a crafted HTTP request...

Amazon Linux AMI : ctags (ALAS-2025-1974)

The version of ctags installed on the remote host is prior to 5.8-2.7. It is, therefore, affected by a vulnerability as referenced in the ALAS-2025-1974 advisory. A flaw was found in Exuberant Ctags in the way it handles the -o option. This option specifies the tag filename. A crafted tag filenam...

Insecure Deserialization

LLaMA-Factory is vulnerable to Insecure Deserialization. The vulnerability is due to insecure deserialization causing because of the use of torch.load on untrusted .bin files, allowing arbitrary command execution during deserialization...

Important: ctags

Issue Overview: A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags in sort.c calls...

Arbitrary Command Injection

Overview aworld is an Ant Agent Package Affected versions of this package are vulnerable to Arbitrary Command Injection through the subprocess.run and subprocess.Popen functions in shelltool.py. This allows an attacker to inject malicious commands due to insufficient sanitization of user-supplied...

Planet UNI-NMS-Lite Trust Management Issues Vulnerability

Planet UNI-NMS-Lite is a universal network management system from PLANET China that monitors all deployed wired or wireless PoE industrial grade network devices. Planet UNI-NMS-Lite suffers from a trust management issue vulnerability that can be exploited by an attacker to submit a special reques...

Exploit for CVE-2025-50505

CVE-2025-50505 Unauthorized API Leads to Arbitrary Command Ex...

CVE-2025-29209

TOTOLINK X18 v9.1.0cu.2024B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub41105C function of cstecgi .cgi...

CVE-2025-31340

A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file...