The vulnerability of the mp() function (/goform/mp) in the microprogramming software for Wi-Fi range extension device Belkin F9K1122 allows a intruder to execute arbitrary commands.

The vulnerability of the mp function /goform/mp in the microprogramming software for Wi-Fi range extension by Belkin F9K1122 is related to the lack of measures taken to secure data at the control level. Exploiting this vulnerability could allow a remote attacker to execute arbitrary commands...

The vulnerability of the formSetWanStatic() function (/goform/formSetWanStatic) in the wireless range extender software by Belkin F9K1122 allows a intruder to execute arbitrary commands.

The vulnerability of the formSetWanStatic function /goform/formSetWanStatic of the Belkin F9K1122 Wi-Fi range extender software is related to the lack of data cleaning measures at the control level. Exploiting this vulnerability could allow a remote attacker to execute arbitrary commands...

Splunk Enterprise 9.1.0 < 9.1.10, 9.2.0 < 9.2.7, 9.3.0 < 9.3.5, 9.4.0 < 9.4.3 (SVD-2025-0702)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2025-0702 advisory. - In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege...

Exploit for Improper Neutralization of Null Byte or NUL Character in Wftpserver Wing_Ftp_Server

CVE-2025-47812 - Wing FTP Server RCE Exploit This repository...

CVE-2025-34087 Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the...

CVE-2025-34087 Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the...

CVE-2025-34087

CVE-2025-34087: An authenticated command-injection in Pi-hole’s web interface (legacy AdminLTE) exists up to version 3.3, where unsanitized domain input added to the allowlist can be exploited to execute OS commands as the Pi-hole service user. The issue is tied to the legacy AdminLTE interface a...

CVE-2025-34073

Maltrail

CVE-2025-34073 stamparm/maltrail <=0.54 Remote Command Execution

An unauthenticated command injection vulnerability exists in stamparm/maltrail Maltrail versions =0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input...

CVE-2025-34067 Hikvision Integrated Security Management Platform Remote Command Execution via applyCT Fastjson

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an...

CVE-2025-34067

CVE-2025-34067 affects Hikvision Integrated Security Management Platform (applyCT component). The flaw is deserialization of untrusted input in /bic/ssoService/v1/applyCT via vulnerable Fastjson auto-type, enabling remote code execution by loading a malicious Java class referenced through an LDAP...

The vulnerability of the OCAS Assistant dialog system, related to the failure to take measures for data cleaning at the management level, allows a perpetrator to execute arbitrary commands.

The vulnerability of the OCAS Assistant dialog system is related to the lack of measures taken to clean data at the management level. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands remotely...

The vulnerability of the formWlSiteSurvey() function in the /boafrm/formWlSiteSurvey file of the TOTOLINK A3002R router’s microprogramming software allows a intruder to execute arbitrary commands.

The vulnerability of the formWlSiteSurvey function in the /boafrm/formWlSiteSurvey file of the TOTOLINK A3002R router’s microprogramming system is related to the lack of measures for cleaning input data during the processing of the wlanif parameter. Exploiting this vulnerability allows a remote...

The vulnerability of the Node-RED visual programming tool’s server on the Pilz IndustrialPI operating system allows a perpetrator to execute arbitrary commands.

The vulnerability of the Node-RED visual programming tool on the Pilz IndustrialPI industrial computer server is related to the absence of default authentication settings. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

The vulnerability of the index.php script used by the sar2html system statistics visualization tool allows a perpetrator to execute arbitrary commands.

The vulnerability of the index.php script used by the sar2html system statistics visualization tool is related to insufficient validation of input data during the processing of the plot parameter. Exploiting this vulnerability allows an attacker to execute arbitrary commands remotely...

AZL-64461 CVE-2025-32462 affecting package sudo for versions less than 1.9.17-1

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines...

CVE-2025-26074

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...

CVE-2025-26074

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...

Inventory Management System removeProduct.php File SQL Injection Vulnerability

Inventory Management System is an inventory management system. The Inventory Management System suffers from a SQL injection vulnerability that originates from the /phpaction/removeProduct.php file not securely filtering the productId parameter. An attacker can exploit this vulnerability to remote...

CVE-2025-26074

Orkes Conductor v3.21.11 is affected. The issue arises from unrestricted access to Java classes, enabling remote command execution via the ScriptEvaluator path (inline JavaScript injection). Impact is OS command execution with high severity per CVSS, with network attack vector and no user interac...