Total
2557 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22903 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-04 | 8.8 High |
| Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function. | ||||
| CVE-2024-22729 | 1 Netis-systems | 2 Mw5360, Mw5360 Firmware | 2025-06-04 | 9.8 Critical |
| NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page. | ||||
| CVE-2024-22529 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-06-04 | 9.8 Critical |
| TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. | ||||
| CVE-2025-48492 | 1 Getsimple-ce | 1 Getsimple Cms | 2025-06-04 | 8.8 High |
| GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22. | ||||
| CVE-2025-48936 | 1 Zitadel | 1 Zitadel | 2025-06-04 | 8.1 High |
| Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2. | ||||
| CVE-2025-45800 | 1 Totolink | 2 A950rg, A950rg Firmware | 2025-06-04 | 9.8 Critical |
| TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter. | ||||
| CVE-2024-39963 | 1 Tenda | 4 Ax12, Ax12 Firmware, Ax9 and 1 more | 2025-06-04 | 8 High |
| AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 and AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 were discovered to contain an authenticated remote command execution (RCE) vulnerability via the macFilterType parameter at /goform/setMacFilterCfg. | ||||
| CVE-2025-5571 | 2025-06-04 | 6.3 Medium | ||
| A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-5492 | 2025-06-04 | 6.3 Medium | ||
| A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the component /usr/sbin/jhttpd. The manipulation of the argument cmd leads to command injection. The attack can be launched remotely. | ||||
| CVE-2023-51812 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2025-06-03 | 9.8 Critical |
| Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /goform/SetNetControlList. | ||||
| CVE-2025-46176 | 1 Dlink | 4 Dir-605l, Dir-605l Firmware, Dir-816l and 1 more | 2025-06-03 | 6.5 Medium |
| Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01 allow attackers to remotely execute arbitrary commands via firmware analysis. | ||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2025-06-03 | 8.1 High |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | ||||
| CVE-2024-43027 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-06-03 | 8 High |
| DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi. | ||||
| CVE-2025-32813 | 1 Infoblox | 1 Netmri | 2025-06-03 | 7.2 High |
| An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur. | ||||
| CVE-2024-0579 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-06-03 | 6.3 Medium |
| A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452. Affected by this vulnerability is the function formMapDelDevice of the file /boafrm/formMapDelDevice. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-46256 | 2 Jc21, Nginxproxymanager | 2 Nginx Proxy Manager, Nginx Proxy Manager | 2025-06-03 | 9.8 Critical |
| A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate. | ||||
| CVE-2025-37096 | 2025-06-03 | N/A | ||
| A command injection remote code execution vulnerability exists in HPE StoreOnce Software. | ||||
| CVE-2025-37092 | 2025-06-03 | N/A | ||
| A command injection remote code execution vulnerability exists in HPE StoreOnce Software. | ||||
| CVE-2025-37091 | 2025-06-03 | 7.2 High | ||
| A command injection remote code execution vulnerability exists in HPE StoreOnce Software. | ||||
| CVE-2025-37089 | 2025-06-03 | N/A | ||
| A command injection remote code execution vulnerability exists in HPE StoreOnce Software. | ||||