Total
2356 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31644 | 2025-05-08 | N/A | 8.7 HIGH | ||
| When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-3987 | 1 Totolink | 2 N150rt, N150rt Firmware | 2025-05-07 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as critical. This issue affects some unknown processing of the file /boafrm/formWsc. The manipulation of the argument localPin leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-57235 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_enable function. | |||||
| CVE-2024-57234 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function. | |||||
| CVE-2024-57233 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) v1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function. | |||||
| CVE-2024-57232 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function. | |||||
| CVE-2024-57231 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function. | |||||
| CVE-2024-57230 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function. | |||||
| CVE-2024-57229 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function. | |||||
| CVE-2025-45042 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. | |||||
| CVE-2024-51186 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-05-07 | N/A | 8.0 HIGH |
| D-Link DIR-820L 1.05b03 was discovered to contain a remote code execution (RCE) vulnerability via the ping_addr parameter in the ping_v4 and ping_v6 functions. | |||||
| CVE-2025-26262 | 2025-05-07 | N/A | 6.5 MEDIUM | ||
| An issue in the component /internals/functions of R-fx Networks Linux Malware Detect v1.6.5 allows attackers to escalate privileges and execute arbitrary code via supplying a file that contains a crafted filename. | |||||
| CVE-2025-22476 | 2025-05-07 | N/A | 5.5 MEDIUM | ||
| Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Remote execution. | |||||
| CVE-2025-46816 | 2025-05-07 | N/A | 9.4 CRITICAL | ||
| goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. | |||||
| CVE-2025-46735 | 2025-05-07 | N/A | N/A | ||
| Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authenticated command injection in the underlyding powershell command prompt. Version 1.0.5 contains a fix for the issue. | |||||
| CVE-2024-29435 | 1 Alldata | 1 Alldata | 2025-05-07 | N/A | 4.1 MEDIUM |
| An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter. | |||||
| CVE-2025-28017 | 1 Totolink | 2 A800r, A800r Firmware | 2025-05-06 | N/A | 6.5 MEDIUM |
| TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERY_STRING parameter. | |||||
| CVE-2024-22061 | 1 Ivanti | 1 Avalanche | 2025-05-06 | N/A | 9.8 CRITICAL |
| A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | |||||
| CVE-2023-49959 | 1 Indu-sol | 1 Profinet-inspektor Nt | 2025-05-05 | N/A | 9.8 CRITICAL |
| In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands with root privileges via a crafted filename parameter in POST requests to the /api/updater/ctrl/start_update endpoint. | |||||
| CVE-2020-10826 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-05-05 | 10.0 HIGH | 9.8 CRITICAL |
| /cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode. | |||||