Lucene search
+L

7972 matches found

CVE
CVE
added yesterday4 views

CVE-2026-58195

Agentic-Flow (MCP server tools) prior to version 2.0.14 is vulnerable to OS command injection. In affected code paths, tool parameters such as agent, task, name, language, and agentdb could be interpolated directly into shell command strings passed to execSync(), enabling arbitrary command execut...

8.8CVSS5.9AI score
Exploits0References7
Nuclei
Nuclei
added yesterday124 views

Advantech R-SeeNet 2.4.12 - OS Command Injection

Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering...

10CVSS8.8AI score0.69631EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday119 views

MajorDoMo thumb.php - OS Command Injection

MajorDoMo aka Major Domestic Module before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager. id: CVE-2023-50917 info: name: MajorDoMo thumb.php - OS Command Injection author: DhiyaneshDK severity: critical...

9.8CVSS8.6AI score0.38263EPSS
Exploits6References5
Nuclei
Nuclei
added yesterday15 views

Group-Office < 26.0.5 - Remote Code Execution

Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmpfile into an exec call. By injecting shell metacharacters into...

9.4CVSS6.8AI score0.18536EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday22 views

HuangDou UTCMS V9 - OS Command Injection

A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection.The attack may be launched remotely. The...

9.8CVSS6.9AI score0.73666EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday62 views

Palo Alto Networks Expedition - OS Command Injection

An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls...

9.8CVSS8.2AI score0.77653EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday14 views

WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection

A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection...

9.8CVSS6.7AI score0.09901EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday56 views

Acmailer - Improper Access Control to OS Command Injection

Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified...

10CVSS8.7AI score0.07871EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday29 views

Enigma NMS < 65.0.0 - Authenticated OS Command Injection

An OS command injection vulnerability in the discoverandmanage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an authenticated attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ipaddress variable within an snmpbrowser action. id:...

10CVSS9AI score0.25279EPSS
Exploits5References3
CVE
CVE
added 2 days ago10 views

CVE-2026-63305

The CVE-2026-63305 entry concerns AVideo up to version 29.0, where the ffmpeg.json.php endpoint concatenates notifyCode and callback into a shell command without escaping. This allows an attacker who can craft an encrypted payload to inject shell metacharacters and execute OS commands as the web-...

9.2CVSS6.3AI score0.01383EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-63305 AVideo through 29.0 OS Command Injection via ffmpeg.json.php

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into thes...

9.2CVSS6.3AI score0.01383EPSS
Exploits0References4
Nuclei
Nuclei
added 2 days ago26 views

NUUO Camera <=20250203 - OS Command Injection

NUUO Camera up to 20250203 contains a command injection caused by manipulation of the 'log' argument in /handleconfig.php, letting remote attackers execute arbitrary commands, exploit requires remote access. id: CVE-2025-1338 info: name: NUUO Camera =20250203 - OS Command Injection author: Ark...

7.5CVSS7.2AI score0.51091EPSS
Exploits1References3
Nuclei
Nuclei
added 2 days ago268 views

Node.js Embedded JavaScript 3.1.6 - Template Injection

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...

9.8CVSS6.8AI score0.32808EPSS
Exploits7References5
Nuclei
Nuclei
added 2 days ago64 views

Artica Web Proxy 4.30 - OS Command Injection

Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via servicecmdspeform. id: CVE-2020-17505 info: name: Artica Web Proxy 4.30 - OS Command Injection author: dwisiswant0...

9CVSS7.1AI score0.82165EPSS
Exploits4References5
Nuclei
Nuclei
added 2 days ago81 views

cPH2 Charging Station v1.87.0 - OS Command Injection

An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature. id: CVE-2023-46359 info: name: cPH2...

9.8CVSS7.3AI score0.78368EPSS
Exploits2References5
Tenable Nessus
Tenable Nessus
added 2 days ago6 views

Alibaba Cloud Linux 3 : 0197: perl-HTTP-Daemon (ALINUX3-SA-2026:0197)

The remote Alibaba Cloud Linux 3 host has a package installed that is affected by a vulnerability as referenced in the ALINUX3-SA-2026:0197 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-8450: HTTP::Daemon versions before 6.17 fo...

9.1CVSS6.2AI score0.01452EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-15895

OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument. To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or...

8.4CVSS0.01241EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago17 views

EUVD-2026-44768

OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument. To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or...

8.4CVSS6.3AI score0.01241EPSS
Exploits0References2
OSV
OSV
added 3 days ago5 views

CVE-2026-15895 OS command injection in jsii-diff in AWS jsii

OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument. To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or...

8.4CVSS6.3AI score0.01241EPSS
Exploits0References4
NVD
NVD
added 4 days ago5 views

CVE-2026-48347

Animate is affected by an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a...

7.7CVSS0.00559EPSS
Exploits0References1
Rows per page
Query Builder