71819 matches found
EUVD-2026-44913
AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses function interpolates unsanitized keyword parameters inside single quotes without escaping. Attackers who can craft a valid encrypted codeToExec payload can brea...
Lodash Template - Server-Side Template Injection (RCE)
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...
SolarView 6.00 - Remote Command Execution
SolarView Compact 6.00 is vulnerable to a command injection via networktest.php. id: CVE-2022-40881 info: name: SolarView 6.00 - Remote Command Execution author: For3stCo1d severity: critical description: | SolarView Compact 6.00 is vulnerable to a command injection via networktest.php. impact: |...
Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised...
TOTOLink - Unauthenticated Command Injection
TOTOLINK X5000R V9.1.0u.6118B20201102 and V9.1.0u.6369B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter. id: CVE-2023-30013 info: name: TOTOLink - Unauthenticated...
Apache Airflow OS Command Injection
Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. id: CVE-2022-24288 info: name: Apache Airflow OS Command Injection...
Node.js Embedded JavaScript 3.1.6 - Template Injection
Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...
FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection
FreePBX Endpoint Manager 17.0.2.36 to = 17.0.2.36 && 17.0.3 - Authenticated Command Injection author: th3y severity: critical description: | FreePBX Endpoint Manager 17.0.2.36 to 17.0.3 contains a command injection caused by improper sanitization in filestore module's testconnection checksshconne...
RClone RC - Command Injection
Rclone = 1.48.0 and = 1.48.0 and 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment...
AstrBot <= 4.22.1 - Command Injection
AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any...
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected comman...
CyberPanel - Command Injection
CyberPanel aka Cyber Panel before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner sink. There is /filemanager/upload aka File Manager upload unauthenticated remote code execution via shell metacharacters. id: CVE-2024-51568 info: name: CyberPanel - Comman...
WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection
A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection...
sar2html <=3.2.2 Plot Parameter - Remote Code Execution
sar2html version 3.2.2 and prior contains an OS command injection vulnerability in the plot parameter of index.php. A remote, unauthenticated attacker can append shell metacharacters to the plot parameter and execute arbitrary operating system commands. id: CVE-2025-34030 info: name: sar2html...
Infoblox NetMRI < 7.6.1 - Unauthenticated Command Injection in get_saml_request
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur. id: CVE-2025-32813 info: name: Infoblox NetMRI 7.6.1 - Unauthenticated Command Injection in getsamlrequest author: iamnoooob,pdresearch severity: high description: | An issue was discovere...
Blink Router - Command Injection
Blink routers BL-WR9000 V2.4.9 , BL-AC2100AZ3 V1.0.4, BL-X10AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200AT1 v1.0.0, BL-X26AC8 v1.2.8, BLAC450MAE4 v4.0.0 and BL-X26DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bsSetSSIDHide function. id: CVE-2025-45985 info: name: Blin...
DCBI-Netlog-LAB v1.0 - Command Injection
An issue in the component /networkconfig/nsgmasq.cgi of DCN Digital China Networks DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request. id: CVE-2023-26802 info: name: DCBI-Netlog-LAB v1.0 - Command Injection author: pussycat0x...
Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter. id: CVE-2020-10987 info: name: Tenda AC15 AC1900 version 15.03.05.19 - Command Injection author: pussycat0x severity: critical...
Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among...
Zeroshell 3.9.3 - Command Injection
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character. id: CVE-2020-29390 info: name: Zeroshell 3.9.3 - Command...