CVE-2017-20216

CVE-2017-20216 concerns FLIR Thermal Camera PT-Series firmware 8.0.0.64, where multiple unauthenticated remote command injection vulnerabilities exist in the controllerFlirSystem.php script. The root cause is unsanitized POST parameters in the execFlirSystem() function leading to shell_exec() cal...

CVE-1999-0163

In older versions of Sendmail, an attacker could use a pipe character to execute root commands...

CVE-1999-0088

IRIX and AIX automountd services autofsd allow remote users to execute root commands...

CVE-2019-16519

ESET Cyber Security 6.7.900.0 for macOS allows a local attacker to execute unauthorized commands as root by abusing an undocumented feature in scheduled tasks...

CVE-2025-64419

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository using build...

CVE-2025-64419 Coolify vulnerable to command injection via docker-compose.yaml parameters

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository using build...

PT-2026-1326

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.445 Description Coolify is a self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters from docker-compose.yaml files are not properly sanitized when...

PT-2026-6749

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 20.7-cert9 Asterisk versions prior to 20.18.2 Asterisk versions prior to 21.12.1 Asterisk versions prior to 22.8.2 Asterisk versions prior to 23.2.2 Description Asterisk is a private branch exchange and telephony...

PT-2025-54230

Name of the Vulnerable Software and Affected Versions MiniDVBLinux version 5.4 Description MiniDVBLinux version 5.4 contains a remote command execution issue that allows unauthenticated attackers to execute arbitrary commands as root. The issue is due to a flaw in the handling of the command GET...

CVE-2025-66210

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute...

📄 Control Web Panel 0.9.8.1208 Command Injection

Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to /admin/index.php when the api parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject...

CVE-2025-65199

A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function. Fixed in Windscribe v2.18.3-alpha and v2.18.8...

CVE-2025-65293

Command injection vulnerabilities in Aqara Camera Hub G3 4.1.90027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset...

PT-2025-50541

Name of the Vulnerable Software and Affected Versions Aqara Hub devices versions 4.1.9 0027, 4.3.6 0027, and 4.3.6 0025 Description A command injection issue exists in Aqara Hub devices, including Camera Hub G3, Hub M2, and Hub M3. This allows attackers to execute arbitrary commands with root...

CVE-2025-65842

The Aquarius HelperTool 1.0.003 privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights...

CVE-2025-65842

The Aquarius HelperTool 1.0.003 privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights...

CVE-2025-55076

The CVE-2025-55076 entry describes a local privilege escalation in Plugin Alliance Installation Manager v1.4.0 for macOS, via the InstallationHelper service that accepts unauthenticated XPC connections and passes input to system(). This could allow a local user to execute arbitrary commands with ...

CVE-2025-65842

The Aquarius HelperTool 1.0.003 privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights...

CVE-2024-39148

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall...

CVE-2024-39148

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall...