VulnCheck KEV: CVE-2022-20775

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. This vulnerability is due to improper access controls on commands within the application CLI. An attacker could exploit this vulnerability by running a maliciously crafted...

📄 FUX 1.2.8 Authentication Bypass / Remote Command Execution

This Python exploit targets CVE-2025-69985, an authentication bypass in FUXA web-based SCADA/HMI software that allows access to the protected /api/runscript endpoint even when authentication is enabled. By sending a crafted JavaScript payload using childprocess.execSync, it achieves full remote...

📄 Frigate NVR 0.16.3 Remote Command Execution

This Python exploit targets a critical configuration manipulation vulnerability in Frigate NVR versions up to 0.16.3 both authenticated and unauthenticated paths. By injecting a malicious go2rtc stream and a fake camera entry, it triggers arbitrary command execution as the Frigate process during...

Cisco Secure Email and Web Manager RCE (cisco-sa-sma-attack-N9bf4)

According to its self-reported version, Cisco Secure Email and Web Manager is affected by a vulnerability. - A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attack...

MAL-2026-1028 Malicious code in examplereactnative76 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a118efca65c484515f9ae2cee508db99ef356bb6dc1e9ec249858e561f96f089 The package examplereactnative76 was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-3102

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be...

CVE-2026-23678 Binardat 10G08-0800GSM Network Switch Traceroute CLI Command Injection

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain a command injection vulnerability in the traceroute diagnostic function of the affected device web management interface. By injecting the %1a character into the hostname parameter, an authenticated attacker wi...

CVE-2025-14577

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/sessionajax.php endpoint. This issue was fixed in version 1.24.0190 Slican NCP and 6.61.0010 Slica...

Malicious code in request-httpx-9 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d8547656202b4eac0d914d466c2fe1d3bf17210c63af75ac2d8e020f5d0ef28c The package contains a Telegram bot running allowing for remote access. This functionality is disclosed in the readme, but the package name clearly indicates...

CVE-2025-11165

Affects dotCMS with its Velocity scripting engine (VTools). The issue is a sandbox escape where authenticated users with scripting privileges can bypass SecureUberspectorImpl protections by dynamically altering the Velocity runtime configuration and reinitializing its Uberspect, removing introspe...

CVE-2025-13942

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17ABUP.15.1C0 could allow a remote attacker to execute operating system OS commands on an affected device by sending specially crafted UPnP SOAP requests...

CVE-2025-13942

CVE-2025-13942 affects Zyxel EX3510-B0 devices with firmware up to 5.17(ABUP.15.1)C0, where the UPnP function is vulnerable to command injection via specially crafted UPnP SOAP requests, enabling remote OS command execution. The cited sources provide the vulnerability details and CVSS 3.1 score (...

PT-2026-21751

Name of the Vulnerable Software and Affected Versions MindsDB versions prior to 25.9.1.1 Description MindsDB, a platform for building artificial intelligence from enterprise data, has a path traversal flaw in its /api/files interface. An authenticated attacker can exploit this to achieve remote...

Malicious code in request-httpx-4 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0c661d240f626319e5ff1e52562ca1d4a8a6c741126a91e4d46a9ed639cfc0d The package contains a Telegram bot running allowing for remote access. This functionality is disclosed in the readme, but the package name clearly indicates...

MAL-2026-1001 Malicious code in request-httpx-4 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0c661d240f626319e5ff1e52562ca1d4a8a6c741126a91e4d46a9ed639cfc0d The package contains a Telegram bot running allowing for remote access. This functionality is disclosed in the readme, but the package name clearly indicates...

📄 Telesquare TLR-2005KSH Remote Command Execution

Telesquare TLR-2005KSH proof of concept remote command execution exploit. ============================================================================================================================================= | Title : Telesquare TLR-2005KSH - Remote Command Execution vulnerability | |...

📄 Tactical RMM 1.3.1 Jinja2 Server-Side Template Injection

This Metasploit module targets a server-side template injection vulnerability in Tactical RMM's template preview endpoint. The implementation is clearly marked as experimental and manually ranked due to the inherently unstable exploitation technique it relies on. The module attempts to achieve...

MAL-2026-991 Malicious code in vl-ui-breadcrumb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81c270ce4308a58eda8d509b95c7598472480a53a99953d598e400e85440f563 The package vl-ui-breadcrumb was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-993 Malicious code in vl-ui-checkbox (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b636f4789648035c4ee34537313e51b2e4ba39f2f4ea19b6d8744f61a12bce3 The package vl-ui-checkbox was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-27113

Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git...