CVE-2025-54131

Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass the allow list in auto-run mode with a backtick or $cmd. If a user has swapped Cursor from its default settings requiring approval for every terminal call to an allowlist, an attacker can execute...

OS Command Injection

james-heinrich/phpthumb is vulnerable to OS Command Injection. The vulnerability is due to improper sanitization of crafted parameter values in phpthumb.gif.php, which allows an attacker to execute arbitrary operating system commands...

GHSA-3Q26-F695-PP76 @cyanheads/git-mcp-server vulnerable to command injection in several tools

Summary A command injection vulnerability exists in the git-mcp-server MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code...

CVE-2023-47295

A CSV injection vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands via injecting a crafted payload into any text field that accepts strings...

Versa Director 安全漏洞

Versa Director is a virtualization and service creation platform from Versa USA. It simplifies the creation, automation and delivery of services using Versa FlexVNF. A security vulnerability exists in Versa Director that stems from a command injection vulnerability in the shell-connect.py script...

SUSE CVE-2025-22237

An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...

CVE-2025-22237

An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process. Mitigation Mitigation for this issue is either not available or...

CVE-2025-22237

An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...

CVE-2025-22237 CVE-2025-22237 salt advisory

An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...

CVE-2025-22237

CVE-2025-22237 describes an escalation where an attacker with a minion key can abuse Salt’s on-demand pillar via a specially crafted git URL to execute arbitrary commands on the Salt Master with master privileges. The connected Nessus/SUSE advisories state that this issue was mitigated/fixed (as ...

CVE-2024-39182

An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command ISP6-1779...

CVE-2023-39548

CLUSTERPRO X Ver5.1 and earlier and EXPRESSCLUSTER X 5.1 and earlier, CLUSTERPRO X SingleServerSafe 5.1 and earlier, EXPRESSCLUSTER X SingleServerSafe 5.1 and earlier allows a attacker to log in to the product may execute an arbitrary command...

CVE-2020-5635

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker on the adjacent network to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

CVE-2002-1993

webbbspost.pl in WebBBS 4 and 5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the followup parameter...

CVE-2025-44865

Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the enable parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

CVE-2025-44867

Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

Edimax BR-6478AC formDiskCreateGroup function command execution vulnerability

Edimax BR-6478AC is a dual-band Gigabit router from China Xunzhou Edimax. The Edimax BR-6478AC suffers from a command execution vulnerability that originates from the groupname parameter in /boafrm/formDiskCreateGroup failing to correctly filter construct command special characters, commands, etc...

D-Link DIR 832x 安全漏洞

The D-Link DIR-832x is a wireless router from China's AUO D-Link. A code injection vulnerability exists in the D-Link DIR-832x, which stems from the function 0x41dda8 failing to properly filter construct command special characters, commands, etc. An attacker can exploit this vulnerability to...

Exploit for CVE-2025-29278

CVE-2025-29278 Proof of Concept PoC: In the Diagnostics tab,...

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for Watson AIOps version 4.2.0 Vulnerability Details CVEID:CVE-2023-24539 DESCRIPTION: Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing multiple actions separated by a...