Export limit exceeded: 20404 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (20404 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52320 | 1 Planet Technology Corp | 1 Wgs-804hpt Firmware | 2026-04-15 | 9.8 Critical |
| The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution. | ||||
| CVE-2025-27614 | 2026-04-15 | 8.6 High | ||
| Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50. | ||||
| CVE-2021-47747 | 2026-04-15 | 8.8 High | ||
| meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the 'COMMANDx' and 'LIVECOMMANDx' POST parameters to execute arbitrary system commands with administrative privileges. | ||||
| CVE-2025-60017 | 1 Unitree | 4 B2, G1, Go2 and 1 more | 2026-04-15 | 8.2 High |
| Unitree Go2, G1, H1, and B2 devices through 2025-09-20 allow root OS command injection via the hostapd_restart.sh wifi_ssid or wifi_pass parameter (within restart_wifi_ap and restart_wifi_sta). | ||||
| CVE-2023-47282 | 2026-04-15 | 3.9 Low | ||
| Out-of-bounds write in Intel(R) Media SDK all versions and some Intel(R) oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2021-4470 | 2 Tg8, Togrow | 2 Tg8 Firewall, Tg8 Firewall | 2026-04-15 | N/A |
| TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. The syscmd POST parameter is passed directly to a system command without validation and executed with root privileges. A remote, unauthenticated attacker can supply crafted values to execute arbitrary operating system commands as root, resulting in full device compromise. | ||||
| CVE-2024-2742 | 2026-04-15 | 6.4 Medium | ||
| Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality. | ||||
| CVE-2025-3189 | 2026-04-15 | N/A | ||
| Stored Cross-Site Scripting (XSS) in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it. | ||||
| CVE-2024-30804 | 1 Asus | 1 Fan Xpert | 2026-04-15 | 9.8 Critical |
| An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests. | ||||
| CVE-2021-47781 | 1 Cmder | 1 Cmder | 2026-04-15 | 9.8 Critical |
| Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator's buffer and crash the application. | ||||
| CVE-2025-64109 | 1 Cursor | 1 Cursor | 2026-04-15 | 8.8 High |
| Cursor is a code editor built for programming with AI. In versions and below, a vulnerability in the Cursor CLI Beta allowed an attacker to achieve remote code execution through the MCP (Model Context Protocol) server mechanism by uploading a malicious MCP configuration in .cursor/mcp.json file in a GitHub repository. Once a victim clones the project and opens it using Cursor CLI, the command to run the malicious MCP server is immediately executed without any warning, leading to potential code execution as soon as the command runs. This issue is fixed in version 2025.09.17-25b418f. | ||||
| CVE-2025-36529 | 2026-04-15 | 7.2 High | ||
| An OS command injection issue exists in multiple versions of TB-eye network recorders and AHD recorders. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who is logging in to the device. | ||||
| CVE-2025-0690 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 6.1 Medium |
| The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence. | ||||
| CVE-2024-34073 | 2026-04-15 | 7.8 High | ||
| sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. This issue has been addressed in version 2.214.3. Users are advised to upgrade. Users unable to upgrade should not override the “requirements_path” parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, and instead use the default value. | ||||
| CVE-2024-33222 | 1 Asus | 1 Atszio Driver | 2026-04-15 | 8.4 High |
| An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc ASUS ATSZIO Driver v0.2.1.7 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | ||||
| CVE-2024-48459 | 1 Tenda | 1 Ax2 Pro Firmware | 2026-04-15 | 7.3 High |
| A command execution vulnerability exists in the AX2 Pro home router produced by Shenzhen Tenda Technology Co., Ltd. (Jixiang Tenda) v.DI_7003G-19.12.24A1V16.03.29.50;V16.03.29.50;V16.03.29.50. An attacker can exploit this vulnerability by constructing a malicious payload to execute commands and further obtain shell access to the router's file system with the highest privileges. | ||||
| CVE-2024-47918 | 2026-04-15 | 6.1 Medium | ||
| Tiki Wiki CMS – CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | ||||
| CVE-2025-43876 | 1 Johnsoncontrols | 5 Istar Edge G2, Istar Ultra, Istar Ultra G2 and 2 more | 2026-04-15 | N/A |
| Under certain circumstances a successful exploitation could result in access to the device. | ||||
| CVE-2024-4696 | 1 Lenovo | 1 Service Bridge | 2026-04-15 | 7.5 High |
| A privilege escalation vulnerability was reported in Lenovo Service Bridge prior to version 5.0.2.17 that could allow operating system commands to be executed if a specially crafted link is visited. | ||||
| CVE-2025-6225 | 2026-04-15 | N/A | ||
| Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in version 9.40.02 | ||||