Export limit exceeded: 20364 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (20364 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0263 | 1 Palo Alto Networks | 3 Cloud Ngfw, Pan-os, Prisma Access | 2026-05-13 | N/A |
| A buffer overflow vulnerability in the IKEv2 processing of Palo Alto Networks PAN-OS® software allows an unauthenticated network-based attacker to execute arbitrary code with elevated privileges on the firewall, or cause a denial of service (DoS) condition. Panorama, Cloud NGFW, and Prisma® Access are not impacted by these vulnerabilities. | ||||
| CVE-2026-44854 | 1 Hpe | 1 Arubaos | 2026-05-13 | 7.2 High |
| Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to upload arbitrary files to the underlying operating system, potentially leading to remote code execution as a privileged user. | ||||
| CVE-2025-15101 | 1 Asus | 2 Asus Firmware, Router | 2026-05-13 | 8.8 High |
| An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | ||||
| CVE-2025-28344 | 2026-05-13 | N/A | ||
| striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function AuxJack. | ||||
| CVE-2026-42307 | 1 Vim | 1 Vim | 2026-05-13 | 4.4 Medium |
| Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383. | ||||
| CVE-2026-21018 | 2 Samsung, Samsung Mobile | 2 Android, Samsung Mobile Devices | 2026-05-13 | 6.7 Medium |
| Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code. | ||||
| CVE-2026-39817 | 2 Golang, Gotoolchain | 2 Go, Cmd/go | 2026-05-13 | 5.9 Medium |
| The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | ||||
| CVE-2026-42924 | 1 F5 | 1 Big-ip | 2026-05-13 | 6.5 Medium |
| An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-42946 | 1 F5 | 2 Nginx Open Source, Nginx Plus | 2026-05-13 | 6.5 Medium |
| A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-41257 | 1 Jqlang | 1 Jq | 2026-05-13 | 5.5 Medium |
| jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets. | ||||
| CVE-2026-31226 | 1 Jiayi-pan | 1 Tinyzero | 2026-05-13 | 9.8 Critical |
| The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process. | ||||
| CVE-2026-39808 | 1 Fortinet | 3 Fortisandbox, Fortisandbox Paas, Fortisandboxpaas | 2026-05-13 | 9.1 Critical |
| A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here> | ||||
| CVE-2026-8228 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8227 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8192 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8191 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This affects the function wifi_region of the file /cgi-bin/adm.cgi. Such manipulation of the argument skiplist1/skiplist2 leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8190 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8189 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-8188 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2026-05-13 | 6.3 Medium |
| A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | ||||
| CVE-2026-35506 | 2026-05-13 | N/A | ||
| ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed. | ||||