HGiga iSherlock 操作系统命令注入漏洞

HGiga iSherlock is a series of software products from China Henderson HGiga. HGiga iSherlock suffers from an operating system command injection vulnerability that originates from an unauthenticated, remote attacker who can inject arbitrary OS commands and execute them on the server, potentially...

Security Updates for Microsoft PowerPoint Products (October 2025)

The Microsoft PowerPoint Products are missing a security update. They are, therefore, affected by a remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. Note that Nessus has not tested for this issue but has instea...

GHSA-JQRP-58FV-W8CQ bagisto has CSV Formula Injection in Create New Product

Summary When product data that begins with a spreadsheet formula character for example =, +, -, or @ is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field e.g.,...

bagisto has CSV Formula Injection in Create New Product

Summary When product data that begins with a spreadsheet formula character for example =, +, -, or @ is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field e.g.,...

CVE-2025-62417 bagisto - CSV Formula Injection in Create New Product

Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character for example =, +, -, or @ is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This...

CVE-2025-59481

A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security...

CVE-2025-61941

A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration...

MAL-2025-48432 Malicious code in company-browser-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 7621dd08044aeaacb68745078c793611d91031eb9852f8f667f739d485efe939 The OpenSSF Package Analysis project identified 'company-browser-package' @ 99.9.10 npm as malicious. It is considered malicious because: - The...

Buffalo Wi-Fi router WXR9300BE6P series vulnerable to path traversal

Overview Wi-Fi router WXR9300BE6P series provided by BUFFALO INC. contains the following vulnerability. Path traversal CWE-22 - CVE-2025-61941 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact Arbitrary file may be altered by ...

Webkul Software Bagisto 安全漏洞

Webkul Software Bagisto is an open source e-commerce framework from Webkul Software, India. A security vulnerability exists in Webkul Software Bagisto versions prior to 2.3.8, which stems from incorrect handling of spreadsheet formula characters and could lead to data exfiltration and remote...

Ilevia EVE X1 Server 安全漏洞

Ilevia EVE X1 Server is a smart home and building automation from Ilevia, Italy. A security vulnerability exists in Ilevia EVE X1 Server 4.7.18.0.eden and prior versions, which stems from an authenticated os command injection in multiple web-accessible PHP scripts that could lead to the execution...

Fortinet FortiPAM OS Command Injection Vulnerability (CNVD-2025-24146)

FortiPAM is Fortinet's privileged access management solution for centralized management of sensitive enterprise credentials. A security vulnerability exists in Fortinet FortiPAM that stems from an insufficiently strong authentication mechanism. An attacker could exploit the vulnerability to execu...

CVE-2025-37132

An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the...

CVE-2025-37134

An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system...

CVE-2025-10243

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution...

CVE-2025-37146

A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system...

CVE-2025-58325

An Incorrect Provision of Specified Functionality vulnerability CWE-684 in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2.5 through 7.2.10, 7.0.0 through 7.0.15, 6.4 all versions may allow a local authenticated attacker to execute system commands via crafted CLI commands...

CVE-2025-59481 BIG-IP iControl REST and tmsh vulnerability

A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security...

CVE-2025-59481 BIG-IP iControl REST and tmsh vulnerability

A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security...

CVE-2025-60013

When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, arbitrary system commands may be executed, and the FIPS hardware security module HSM may fail to initialize. A successful exploit can allow the...