Total
2557 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6485 | 2025-06-22 | 6.3 Medium | ||
| A vulnerability was found in TOTOLINK A3002R 1.1.1-B20200824.0128. It has been classified as critical. This affects the function formWlSiteSurvey of the file /boafrm/formWlSiteSurvey. The manipulation of the argument wlanif leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-24321 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-06-20 | 9.8 Critical |
| An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function. | ||||
| CVE-2023-51887 | 1 Ctan | 1 Mathtex | 2025-06-20 | 9.8 Critical |
| Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL. | ||||
| CVE-2025-6299 | 2025-06-20 | 4.7 Medium | ||
| A vulnerability classified as critical has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the file /boa/formWSC. The manipulation of the argument targetAPSsid leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-33806 | 1 Hikvision | 2 Ds-d5b86rb\/b, Ds-d5b86rb\/b Firmware | 2025-06-20 | 7.8 High |
| Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119, allows attackers to execute arbitrary commands. | ||||
| CVE-2024-56084 | 1 Logpoint | 1 Universal Normalizer | 2025-06-20 | 7.1 High |
| An issue was discovered in Logpoint UniversalNormalizer before 5.7.0. Authenticated users can inject payloads while creating Universal Normalizer. These are executed, leading to Remote Code Execution. | ||||
| CVE-2025-5030 | 1 Ackites | 1 Killwxapkg | 2025-06-20 | 5 Medium |
| A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-51126 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-06-20 | 9.8 Critical |
| Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter. | ||||
| CVE-2023-49237 | 1 Trendnet | 2 Tv-ip1314pi, Tv-ip1314pi Firmware | 2025-06-20 | 9.8 Critical |
| An issue was discovered on TRENDnet TV-IP1314PI 5.5.3 200714 devices. Command injection can occur because the system function is used by davinci to unpack language packs without strict filtering of URL strings. | ||||
| CVE-2023-31446 | 1 Cassianetworks | 4 Xc1000, Xc1000 Firmware, Xc2000 and 1 more | 2025-06-20 | 9.8 Critical |
| In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup. | ||||
| CVE-2025-4729 | 1 Totolink | 4 A3002r, A3002r Firmware, A3002ru and 1 more | 2025-06-20 | 6.3 Medium |
| A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formMapDelDevice of the component HTTP POST Request Handler. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6335 | 2025-06-20 | 4.7 Medium | ||
| A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The manipulation of the argument notes leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47959 | 2025-06-20 | 7.1 High | ||
| Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-32711 | 2025-06-20 | 9.3 Critical | ||
| Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2023-49716 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2025-06-17 | 6.9 Medium |
| In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer. | ||||
| CVE-2023-46687 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2025-06-17 | 9.8 Critical |
| In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer. | ||||
| CVE-2024-21488 | 1 Forkhq | 1 Network | 2025-06-17 | 7.3 High |
| Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on. | ||||
| CVE-2024-23624 | 1 Dlink | 2 Dap-1650, Dap-1650 Firmware | 2025-06-17 | 9.6 Critical |
| A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. An unauthenticated attacker can exploit this vulnerability to gain command execution on the device as root. | ||||
| CVE-2024-22197 | 1 Nginxui | 1 Nginx Ui | 2025-06-17 | 7.7 High |
| Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9. | ||||
| CVE-2024-30850 | 1 Tiagorlampert | 1 Chaos | 2025-06-17 | 8.8 High |
| An issue in tiagorlampert CHAOS v5.0.1 allows a remote attacker to execute arbitrary code via the BuildClient function within client_service.go | ||||