CVE-2025-37174 Authenticated Arbitrary File Write Vulnerability in AOS 10 and AOS-8 Web-Based Management Interface

Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary...

CVE-2025-37174 Authenticated Arbitrary File Write Vulnerability in AOS 10 and AOS-8 Web-Based Management Interface

Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary...

CVE-2025-37174

ArubaOS AOS-8 and AOS-10 web management interfaces are affected by vulnerabilities fixed by Aruba Networks. The NCSC advisory notes issues including arbitrary file deletion, stack overflow, command injection, and improper input handling that could allow unauthorized access, file manipulation, or ...

GHSA-XV56-3WQ5-9997 Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository

Summary The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization. Details Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the EnvoyExtensionPolicy resource. An attacker can execute arbitrary commands and access sensitive credentials by injecting malicious Lua scripts. This can lead to privilege escalation, theft of secrets, and...

CVE-2026-0404 Insufficient input validation in NETGEAR Orbi routers

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default...

CVE-2026-0406 Insufficient input validation in NETGEAR Nighthawk router XR1000v2

An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router's LAN to execute OS command injections...

CVE-2025-12548

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration SSH keys, tokens, etc. from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333...

CVE-2025-12548 Github.com/che-incubator/che-code: eclipse che — unauthenticated rce and secret exfiltration via tcp/3333

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration SSH keys, tokens, etc. from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333...

CVE-2025-12548

The CVE-2025-12548 issue affects Eclipse Che che-machine-exec, exposed in Red Hat OpenShift Dev Spaces. A flaw allows unauthenticated remote arbitrary command execution and secret exfiltration from other users’ Developer Workspace containers via an unauthenticated JSON-RPC/WebSocket API on TCP po...

CVE-2025-13444 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters...

CVE-2026-0500

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager WorkStation, an unauthenticated attacker could create a malicious JNLP Java Network Launch Protocol file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope...

CVE-2026-0500

Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager WorkStation, an unauthenticated attacker could create a malicious JNLP Java Network Launch Protocol file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope...

CVE-2026-0507 OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables...

CVE-2026-0507 OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables...

PT-2026-2441

Name of the Vulnerable Software and Affected Versions Eclipse Che versions affected versions not specified Description A flaw exists in Eclipse Che che-machine-exec that permits unauthenticated remote arbitrary command execution and secret exfiltration, including SSH keys and tokens, from other...

Progress LoadMaster 安全漏洞

Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...

PT-2026-2627

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default...

PT-2026-2363

Name of the Vulnerable Software and Affected Versions 4images version 1.9 Description The software contains a remote command execution issue. Authenticated administrators can inject reverse shell code through template editing functionality. Attackers can save malicious code in a template and...

Progress LoadMaster 安全漏洞

Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...