CVE-2024-13871

CVE-2024-13871 affects Bitdefender Box 1 with firmware 1.3.11.490. The vulnerability is a command injection in the "/check_image_and_trigger_recovery" API endpoint that allows an unauthenticated, network-adjacent attacker to execute arbitrary commands, potentially enabling full remote code execut...

PT-2025-6100

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.4.0 through 4.9.1 Description Wazuh, a platform used for threat prevention, detection, and response, is affected by an unsafe deserialization vulnerability. This flaw, potentially allowing remote code execution, arises from th...

Command injection

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the...

CVE-2023-26155

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the...

PT-2023-8933

Name of the Vulnerable Software and Affected Versions Anyscale Ray versions 2.6.3 through 2.8.0 Description Anyscale Ray versions 2.6.3 and 2.8.0 contain a remote code execution issue due to insufficient validation of incoming requests through the job submission API. Attackers can exploit this to...

CVE-2023-26134

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once...

Exploit for Argument Injection in Atlassian Bitbucket

CVE-2022-36804: Pre-Auth RCE in Atlassian Bitbucket Server A c...

PT-2022-5272 · D Link · D-Link Dir-816 A2

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 A2 version 1.10 B05 Description: The issue is related to a stack overflow in the D-Link DIR-816 A2 router's firmware, which can be triggered via the srcip parameter at the "/goform/form2IPQoSTcAdd" API endpoint. This can...

PYSEC-2022-43071

api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor in the request package...

CVE-2022-0841

A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the only parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability...

PT-2020-17155 · Zeroshell · Zeroshell

Name of the Vulnerable Software and Affected Versions: Zeroshell version 3.9.3 Description: The issue allows an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character in the /cgi-bin/kerbynet API endpoint, specifically through the StartSessionSubm...

CVE-2020-12147

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can make unauthorized MySQL queries against the Orchestrator database using the /sqlExecution REST API, which had been used for internal testing...

Grandstream GXV3275 1.0.3.30 - Multiple Vulnerabilities

Grandstream GXV3275 1.0.3.30 - Multiple Vulnerabilities The Grandstream GXV3275 is an Android-based VoIP phone. Several vulnerabilities were found affecting this device. The device ships with a default root SSH key, which could be used as a backdoor: /system/root/.ssh cat authorizedkeys Public ke...