CVE-2026-33613

Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has some other way to write arbitrary dat...

CVE-2026-33613

CVE-2026-33613 concerns MB Connect Line mbCONNECT24 with a remote code execution in the generateSrpArray function caused by improper neutralisation of special elements in an OS command. The vulnerability allows an attacker to achieve full system compromise, but only if there is another path to wr...

EUVD-2026-17255

baserCMS has OS Command Injection Leading to Remote Code Execution RCE...

PT-2026-29146

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3 Description baserCMS is a website development framework. Prior to version 5.2.3, it contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute...

CVE-2026-30311

Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations...

CVE-2026-5125 raine consult-llm-mcp server.ts child_process.execSync os command injection

A vulnerability was detected in raine consult-llm-mcp up to 2.5.3. Affected by this vulnerability is the function childprocess.execSync of the file src/server.ts. The manipulation of the argument gitdiff.baseref/gitdiff.files results in os command injection. The attack is only possible with local...

EUVD-2026-16600

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

Multiple vulnerabilities in BUFFALO Wi-Fi routers

Overview Wi-Fi router products provided by BUFFALO INC. contain multiple vulnerabilities listed below. Dependency on vulnerable third-party component CWE-1395 - This issue is caused by a vulnerability in minihttpd CVE-2015-1548. OS command injection CWE-78 - CVE-2026-27650 Code injection CWE-94 -...

CVE-2026-30303

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...

CVE-2026-30302

The CVE-2026-30302 entry describes an OS Command Injection in CodeRider-Kilo’s command auto-approval module. The root cause is the use of a Unix-based shell-quote parser to analyze Windows commands and improper handling of Windows CMD escape sequences (^). Attackers can craft payloads such as git...

PT-2026-28646

Name of the Vulnerable Software and Affected Versions NEC Platforms, Ltd. Aterm Series affected versions not specified Description An OS Command Injection issue exists in NEC Platforms, Ltd. Aterm Series. This allows a malicious actor to execute arbitrary OS commands through the network...

📄 Generic HTTP Command Execution

This Metasploit module interacts with existing command execution functionality on a target system, where user-supplied input is directly passed to system execution functions via a HTTP request. This could be from an existing vulnerability, or uploaded webshells. It is likely that HTTP evasion...

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

CVE-2026-31386

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege...

CVE-2025-15101

An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisor...

thingino-firmware 操作系统命令注入漏洞

thingino-firmware is an open-source firmware developed by Paul Philippov for specific SoC IP cameras. Versions of thingino-firmware up to firmware-2026-03-16 contained a vulnerability related to operating system command injection. This vulnerability stemmed from unvalidated os commands in the WiF...

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the commb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383...

Exploit for OS Command Injection in Apache Tomcat

ISM.bat RCE Exploit PoC script for unauthenticated Remote Cod...

AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command

Summary The uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacker can influence the LinkedIn API response via MITM, compromis...