Export limit exceeded: 21093 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (21093 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34073 | 2026-04-15 | N/A | ||
| An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process. | ||||
| CVE-2024-46658 | 1 Syrotech | 1 Sy-gpon-8olt-l3 Firmware | 2026-04-15 | 8 High |
| Syrotech SY-GOPON-8OLT-L3 v1.6.0_240629 was discovered to contain an authenticated command injection vulnerability. | ||||
| CVE-2019-25289 | 1 Inim | 1 Smartliving Smartlan | 2026-04-15 | 8.8 High |
| SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. | ||||
| CVE-2025-2071 | 2026-04-15 | N/A | ||
| A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are "hd" and "pi". | ||||
| CVE-2025-48501 | 2026-04-15 | N/A | ||
| An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running. | ||||
| CVE-2025-57457 | 1 Curo | 1 Uc300 | 2026-04-15 | 8.8 High |
| An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter. | ||||
| CVE-2025-5743 | 2026-04-15 | 5.5 Medium | ||
| CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote control over the charging station when an authenticated user modifies configuration parameters on the web server. | ||||
| CVE-2025-46334 | 2026-04-15 | 8.6 High | ||
| Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | ||||
| CVE-2025-4640 | 2026-04-15 | N/A | ||
| Out-of-bounds Write vulnerability in PointCloudLibrary pcl allows Overflow Buffers. Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib. | ||||
| CVE-2024-24426 | 2 Oai Epc Federation, Openairinterface | 2 Oai Epc Federation, Magma | 2026-04-15 | 7.5 High |
| Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. | ||||
| CVE-2024-0141 | 2026-04-15 | 6.8 Medium | ||
| NVIDIA Hopper HGX for 8-GPU contains a vulnerability in the GPU vBIOS that may allow a malicious actor with tenant level GPU access to write to an unsupported registry causing a bad state. A successful exploit of this vulnerability may lead to denial of service. | ||||
| CVE-2025-41683 | 1 Weidmueller | 3 Ie-sr-2tx-wl, Ie-sr-2tx-wl-4g-eu, Ie-sr-2tx-wl-4g-us-v | 2026-04-15 | 8.8 High |
| An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint event_mail_test). | ||||
| CVE-2025-6559 | 2026-04-15 | 9.8 Critical | ||
| Multiple wireless router models from Sapido have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. The affected models are out of support; replacing the device is recommended. | ||||
| CVE-2024-27172 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2026-04-15 | 9.8 Critical |
| Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2025-32778 | 2026-04-15 | N/A | ||
| Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments. | ||||
| CVE-2024-28138 | 2026-04-15 | 7.3 High | ||
| An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized. | ||||
| CVE-2025-10239 | 1 Progress | 1 Flowmon | 2026-04-15 | 7.2 High |
| In Flowmon versions prior to 12.5.5, a vulnerability has been identified that allows a user with administrator privileges and access to the management interface to execute additional unintended commands within scripts intended for troubleshooting purposes. | ||||
| CVE-2025-55048 | 2026-04-15 | 9.8 Critical | ||
| Multiple CWE-78 | ||||
| CVE-2021-4466 | 1 Ipcop | 1 Ipcop | 2026-04-15 | N/A |
| IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise. | ||||
| CVE-2025-2172 | 1 Aviatrix | 1 Controller | 2026-04-15 | N/A |
| Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames | ||||