CVE-2025-54065 GZDoom engine allows arbitrary code execution via ZScript actor states

GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted...

EUVD-2025-198265

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $REQUEST'query' directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute...

CVE-2025-41734 Unauthenticated Local File Inclusion in php module

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices...

glob CLI: Command injection via -c/--cmd executes matches with shell:true

Summary The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to...

D-Link DIR-882 安全漏洞

The D-Link DIR-882 is a dual-band wireless router from China-based AUO D-Link. A security vulnerability exists in the D-Link DIR-882 DIR882A1FW102B02 version, which originates from a command injection in the prog.cgi and rc binaries, which could lead to the execution of arbitrary commands...

SAP Business Connector 操作系统命令注入漏洞

SAP Business Connector is a middleware from SAP, Germany. SAP Business Connector suffers from an operating system command injection vulnerability that stems from OS command injection and could lead to the execution of arbitrary operating system commands...

PT-2025-46548

Name of the Vulnerable Software and Affected Versions Substance3D - Stager versions 3.1.5 and earlier Description A Use After Free issue exists in Substance3D - Stager. Successful exploitation could lead to arbitrary code execution with the privileges of the current user. User interaction is...

CVE-2025-47588

CVE-2025-47588 affects the WordPress plugin Dynamic Pricing With Discount Rules for WooCommerce (aco-woo-dynamic-pricing) up to version 4.5.9. Description and connected sources indicate an Improper Control of Generation of Code leading to Code Injection and Arbitrary Code Execution. CVSSv3.1 base...

CVE-2024-14005

Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful...

CVE-2024-14005 Nagios XI < 2024R1.2 Command Injection via Docker Wizard

Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful...

WeGIA SQL注入漏洞

WeGIA is a web manager for welfare organizations by the individual developer Nilson Lazarin. A SQL injection vulnerability exists in WeGIA versions prior to 3.5.1, which stems from a SQL injection vulnerability in the iddependente parameter in the /html/funcionario/dependentedocumento.php endpoin...

Cherry Studio 代码注入漏洞

Cherry Studio is a multi-model AI assistant from China's Thousand Comets Cherry Studio. A code injection vulnerability exists in Cherry Studio, which stems from the direct execution of commands in base64-encoded configuration data when processing URLs of type cherrystudio://mcp, which could lead ...

D-Link DIR-816A2 安全漏洞

The D-Link DIR-816A2 is a router from China's AUO D-Link. A buffer overflow vulnerability exists in the D-Link DIR-816A2 FWv1.10CNB05 version, which originates from the statuscheckpppoeuser parameter in the dirsetWanWifi function that fails to correctly validate the length and size of the input...

CVE-2025-54404

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related ...

CVE-2025-36565

Dell PowerProtect Data Domain with Data Domain Operating System DD OS of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Argument Delimiters in a...

CVE-2025-54403

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related ...

CVE-2025-54403

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related ...

CVE-2025-54405

Planet WGR-500 v1.3411b190912 has OS command injection in the formPingCmd functionality. Two parameters, ipaddr and counts, are used to build a shell command via system("ping -c 2&gt;&1 &gt; /tmp/pingResult &"), allowing arbitrary command execution when specially crafted HTTP requests are sent....

EUVD-2020-19651

Malware in sbrugna...

EUVD-2017-5983

Malware in sbrugna...