Export limit exceeded: 20410 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (20410 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-26856 | 2026-04-15 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617. | ||||
| CVE-2025-15388 | 1 Qno Technology | 1 Vpn Firewall | 2026-04-15 | 8.8 High |
| VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | ||||
| CVE-2025-55037 | 2026-04-15 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources. | ||||
| CVE-2025-30015 | 2026-04-15 | 4.1 Medium | ||
| Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content in the output variable. This vulnerability has a low impact on the confidentiality, integrity and the availability of the application. | ||||
| CVE-2025-1536 | 2026-04-15 | 7.3 High | ||
| A vulnerability was found in Raisecom Multi-Service Intelligent Gateway up to 20250208. It has been declared as critical. This vulnerability affects unknown code of the file /vpn/vpn_template_style.php of the component Request Parameter Handler. The manipulation of the argument stylenum leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-32778 | 2026-04-15 | N/A | ||
| Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments. | ||||
| CVE-2025-6978 | 1 Arista | 1 Ng Firewall | 2026-04-15 | 7.2 High |
| Diagnostics command injection vulnerability | ||||
| CVE-2025-9340 | 1 Bouncycastle | 1 Legion-of-the-bouncy-castle-fips-java-api | 2026-04-15 | 5.9 Medium |
| Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bc-fips on All (API modules). This vulnerability is associated with program files org/bouncycastle/jcajce/provider/BaseCipher. This issue affects Bouncy Castle for Java: from BC-FJA 2.1.0 through 2.1.0. | ||||
| CVE-2024-4582 | 2026-04-15 | 7.3 High | ||
| A vulnerability classified as critical has been found in Faraday GM8181 and GM828x up to 20240429. Affected is an unknown function of the component NTP Service. The manipulation of the argument ntp_srv leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-263304. | ||||
| CVE-2025-26055 | 2026-04-15 | 6.5 Medium | ||
| An OS Command Injection vulnerability exists in the Infinxt iEdge 100 2.1.32 Troubleshoot module, specifically in the tracertVal parameter of the Tracert function. | ||||
| CVE-2025-68922 | 1 Openops | 1 Openops | 2026-04-15 | 7.4 High |
| OpenOps before 0.6.11 allows remote code execution in the Terraform block. | ||||
| CVE-2013-10037 | 2 Eppler Software, Webtester | 2 Webtester, Webtester | 2026-04-15 | N/A |
| An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges. | ||||
| CVE-2024-51228 | 1 Totolink | 4 A3002ru Firmware, N150rt Firmware, N300rt Firmware and 1 more | 2026-04-15 | 6.8 Medium |
| An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component. | ||||
| CVE-2025-3626 | 2026-04-15 | 9.1 Critical | ||
| A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. | ||||
| CVE-2025-7451 | 1 Hgiga | 1 Isherlock | 2026-04-15 | 9.8 Critical |
| The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This vulnerability has already been exploited. Please update immediately. | ||||
| CVE-2025-66572 | 1 Loadedcommerce | 1 Loaded Commerce | 2026-04-15 | N/A |
| Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter. | ||||
| CVE-2025-62354 | 1 Cursor | 1 Cursor | 2026-04-15 | 9.8 Critical |
| Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution. | ||||
| CVE-2025-64126 | 1 Zenitel | 1 Tciv-3+ | 2026-04-15 | 10 Critical |
| An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands. | ||||
| CVE-2024-31705 | 2026-04-15 | 9.8 Critical | ||
| An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. | ||||
| CVE-2025-53367 | 2026-04-15 | N/A | ||
| DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29. | ||||