Total
2670 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-45984 | 1 B-link | 18 Bl-ac1900, Bl-ac1900 Firmware, Bl-ac2100 Az3 and 15 more | 2025-07-10 | 9.8 Critical |
| Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection vulnerability via the routepwd parameter in the sub_45B238 function. | ||||
| CVE-2025-7081 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2025-07-09 | 6.3 Medium |
| A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7082 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2025-07-09 | 6.3 Medium |
| A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker/so we can control the wan_ipaddr/wan_netmask/wan_gateway/wl_ssid leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-7083 | 1 Belkin | 2 F9k1122, F9k1122 Firmware | 2025-07-09 | 6.3 Medium |
| A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2366 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A |
| A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server. | ||||
| CVE-2024-55466 | 1 Thingsboard | 1 Thingsboard | 2025-07-09 | 6.5 Medium |
| An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-53372 | 2025-07-08 | 7.5 High | ||
| node-code-sandbox-mcp is a Node.jsābased Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0. | ||||
| CVE-2024-49026 | 1 Microsoft | 5 365 Apps, Excel, Office and 2 more | 2025-07-08 | 7.8 High |
| Microsoft Excel Remote Code Execution Vulnerability | ||||
| CVE-2024-43613 | 1 Microsoft | 1 Azure Database For Postgresql Flexible Server | 2025-07-08 | 7.2 High |
| Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability | ||||
| CVE-2024-49042 | 1 Microsoft | 1 Azure Database For Postgresql Flexible Server | 2025-07-08 | 7.2 High |
| Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability | ||||
| CVE-2024-43591 | 1 Microsoft | 2 Azure Command-line Interface, Azure Service Connector | 2025-07-08 | 8.7 High |
| Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | ||||
| CVE-2024-43497 | 1 Microsoft | 1 Deepspeed | 2025-07-08 | 8.4 High |
| DeepSpeed Remote Code Execution Vulnerability | ||||
| CVE-2024-43601 | 2 Linux, Microsoft | 2 Linux Kernel, Visual Studio Code | 2025-07-08 | 7.8 High |
| Visual Studio Code for Linux Remote Code Execution Vulnerability | ||||
| CVE-2023-47253 | 1 Qualitor | 2 Qalitor, Qualitor | 2025-07-07 | 9.8 Critical |
| Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter. | ||||
| CVE-2024-35285 | 1 Mitel | 2 Micollab, Micollab Nupoint Messanger | 2025-07-07 | 9.8 Critical |
| A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. | ||||
| CVE-2024-40089 | 1 Viloliving | 3 Vilo 5, Vilo 5 Firmware, Vilo 5 Mesh Wifi System Firmware | 2025-07-07 | 9.1 Critical |
| A Command Injection vulnerability in Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, authenticated attackers to execute arbitrary code by injecting shell commands into the name of the Vilo device. | ||||
| CVE-2025-5306 | 1 Pandora Fms | 1 Pandora Fms | 2025-07-06 | N/A |
| Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778 | ||||
| CVE-2025-53104 | 2025-07-03 | 9.1 Critical | ||
| gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository. | ||||
| CVE-2025-53107 | 2025-07-03 | 7.5 High | ||
| @cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5. | ||||
| CVE-2025-24333 | 2025-07-03 | 6.4 Medium | ||
| Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file. | ||||