Total
4291 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-48337 | 3 Debian, Gnu, Redhat | 4 Debian Linux, Emacs, Enterprise Linux and 1 more | 2025-03-18 | 9.8 Critical |
| GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. | ||||
| CVE-2024-57014 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-03-18 | 7.8 High |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "recHour" parameter in setScheduleCfg. | ||||
| CVE-2024-11482 | 1 Hp | 1 Enterprise Security Manager | 2025-03-18 | 9.8 Critical |
| A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API and enables remote code execution through command injection, executed as the root user. | ||||
| CVE-2023-0861 | 1 Netmodule | 10 Nb1601, Nb1800, Nb1810 and 7 more | 2025-03-18 | 7.2 High |
| NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103. | ||||
| CVE-2024-57015 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-03-18 | 8.8 High |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in setScheduleCfg. | ||||
| CVE-2025-24306 | 2025-03-18 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.0_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker with an administrative privilege. | ||||
| CVE-2025-25220 | 2025-03-18 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in +F FS010M versions prior to V2.0.1_1101. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote authenticated attacker. | ||||
| CVE-2024-57011 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-03-17 | 8.8 High |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "minute" parameters in setScheduleCfg. | ||||
| CVE-2023-5002 | 2 Fedoraproject, Pgadmin | 2 Fedora, Pgadmin 4 | 2025-03-17 | 6 Medium |
| A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server. | ||||
| CVE-2025-30076 | 2025-03-17 | 7.7 High | ||
| Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. | ||||
| CVE-2024-35519 | 1 Netgear | 6 Ex3700, Ex3700 Firmware, Ex6100 and 3 more | 2025-03-17 | 8.4 High |
| Netgear EX6120 v1.0.0.68, Netgear EX6100 v1.0.2.28, and Netgear EX3700 v1.0.0.96 are vulnerable to command injection in operating_mode.cgi via the ap_mode parameter. | ||||
| CVE-2024-48826 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2025-03-17 | 8 High |
| Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. | ||||
| CVE-2024-48825 | 1 Tenda | 2 Ac7, Ac7 Firmware | 2025-03-17 | 8 High |
| Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. | ||||
| CVE-2025-2367 | 2025-03-17 | 6.3 Medium | ||
| A vulnerability has been found in Oiwtech OIW-2431APGN-HP 2.5.3-B20131128 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formScript of the component Personal Script Submenu. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1244 | 1 Redhat | 7 Enterprise Linux, Openshift Builds, Rhel Aus and 4 more | 2025-03-15 | 8.8 High |
| A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. | ||||
| CVE-2019-20500 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2025-03-14 | 7.8 High |
| D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | ||||
| CVE-2021-27104 | 1 Accellion | 1 Fta | 2025-03-14 | 9.8 Critical |
| Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later. | ||||
| CVE-2018-9276 | 1 Paessler | 1 Prtg Network Monitor | 2025-03-14 | 7.2 High |
| An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios. | ||||
| CVE-2020-10221 | 1 Rconfig | 1 Rconfig | 2025-03-14 | 8.8 High |
| lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter. | ||||
| CVE-2020-10987 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2025-03-14 | 9.8 Critical |
| The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter. | ||||