CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CISA KEV Catalog•added 2026/04/24 12:0 a.m.•3 views

D-Link DIR-823X Command Injection Vulnerability

D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/setprohibiting via the corresponding function. The impacted product could be end-of-life EoL and/or end-of-service EoS...

7.2CVSS8.9AI score0.87239EPSS

In wildExploits1

CNNVD•added 2026/04/24 12:0 a.m.•8 views

Vim 操作系统命令注入漏洞

Vim is an open-source cross-platform text editor developed by Vim developers. Versions of Vim prior to 9.2.0357 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the use of wildcards when processing tag files, which could lead to command...

6.6CVSS5.8AI score0.00501EPSS

Exploits0References2

Positive Technologies•added 2026/04/24 12:0 a.m.•4 views

PT-2026-35033

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0357 Description Command injection occurs during tag file processing. When resolving a tag, the filename field from the tags file undergoes wildcard expansion to resolve environment variables and wildcards. If this...

6.6CVSS5.8AI score0.00501EPSS

Exploits0References38

Tenable Nessus•added 2026/04/24 12:0 a.m.•7 views

Rclone 1.48.x < 1.73.5 Command Injection (CVE-2026-41179)

The version of Rclone installed on the remote host is 1.48.x prior to 1.73.5. It is, therefore, affected by a command injection vulnerability: - The RC endpoint operations/fsinfo is exposed without AuthRequired and accepts attacker-controlled fs input. Because rc.GetFs supports inline backend...

9.8CVSS5.8AI score0.08375EPSS

Exploits2References2

CNVD•added 2026/04/24 12:0 a.m.•9 views

TOTOLINK A3300R pppoeMtu Parameter Command Injection Vulnerability

TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. The TOTOLINK A3300R pppoeMtu parameter suffers from a command injection vulnerability that stems from the firmware failing to properly validate user input for the pppoeMtu parameter in /cgi-bin/cstecgi.cgi, which can be...

6.5CVSS6AI score0.00279EPSS

CNVD•added 2026/04/24 12:0 a.m.•8 views

TOTOLINK A3300R mode parameter command injection vulnerability

TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R mode parameter, which originates from /cgi-bin/cstecgi.cgi failing to properly filter the mode parameter, and can be exploited by an attacker to execute...

6.5CVSS6AI score0.00279EPSS

GithubExploit•added 2026/04/23 11:22 p.m.•81 views

Exploit for OS Command Injection in Zyxel Vmg8623-T50B_Firmware

CVE-2026-1459-POC POC for the CVE-2026-1459 which payload c...

7.2CVSS5.8AI score0.00902EPSS

EUVD•added 2026/04/23 9:31 p.m.•6 views

EUVD-2026-25314

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr. Attackers can inject shell metacharacters throu...

NVD•added 2026/04/23 9:16 p.m.•6 views

Exploits1References4

CVE-2026-6942

9.8CVSS0.0192EPSS

Exploits1References3

CVE•added 2026/04/23 8:58 p.m.•8 views

CVE-2026-6942

Radare2-MCP

Exploits1References3Affected Software1

ATTACKERKB•added 2026/04/23 8:58 p.m.•5 views

CVE-2026-6942

Vulnrichment•added 2026/04/23 8:58 p.m.•5 views

Exploits1References4

CVE-2026-6942 radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass

NVD•added 2026/04/23 8:16 p.m.•6 views

Exploits1References3

CVE-2026-41137

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

9.4CVSS0.0145EPSS

NVD•added 2026/04/23 7:17 p.m.•34 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.8CVSS0.01567EPSS

Exploits0References1

ATTACKERKB•added 2026/04/23 7:10 p.m.•3 views

CVE-2026-41137

Exploits1References2Affected Software2

Cvelist•added 2026/04/23 7:10 p.m.•29 views

CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE

9.4CVSS0.0145EPSS

EUVD•added 2026/04/23 7:10 p.m.•10 views

EUVD-2026-25277

Vulnrichment•added 2026/04/23 7:10 p.m.•4 views

CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE

CVE•added 2026/04/23 7:10 p.m.•17 views

CVE-2026-41137

Flowise CVE-2026-41137 affects the Flowise UI stack, specifically the CSVAgent component, which allows providing a custom Pandas CSV read code. The lack of sanitization enables a command-injection payload to be interpolated and executed by the server. This is documented across multiple sources, w...