Total
2537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22903 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-04 | N/A | 8.8 HIGH |
| Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function. | |||||
| CVE-2024-22729 | 1 Netis-systems | 2 Mw5360, Mw5360 Firmware | 2025-06-04 | N/A | 9.8 CRITICAL |
| NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page. | |||||
| CVE-2024-22529 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-06-04 | N/A | 9.8 CRITICAL |
| TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. | |||||
| CVE-2025-48492 | 1 Getsimple-ce | 1 Getsimple Cms | 2025-06-04 | N/A | 8.8 HIGH |
| GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22. | |||||
| CVE-2025-48936 | 1 Zitadel | 1 Zitadel | 2025-06-04 | N/A | 8.1 HIGH |
| Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2. | |||||
| CVE-2025-45800 | 1 Totolink | 2 A950rg, A950rg Firmware | 2025-06-04 | N/A | 9.8 CRITICAL |
| TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter. | |||||
| CVE-2024-39963 | 1 Tenda | 4 Ax12, Ax12 Firmware, Ax9 and 1 more | 2025-06-04 | N/A | 8.0 HIGH |
| AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 and AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 were discovered to contain an authenticated remote command execution (RCE) vulnerability via the macFilterType parameter at /goform/setMacFilterCfg. | |||||
| CVE-2023-51812 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /goform/SetNetControlList. | |||||
| CVE-2025-46176 | 1 Dlink | 4 Dir-605l, Dir-605l Firmware, Dir-816l and 1 more | 2025-06-03 | N/A | 6.5 MEDIUM |
| Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01 allow attackers to remotely execute arbitrary commands via firmware analysis. | |||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2025-06-03 | N/A | 8.1 HIGH |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | |||||
| CVE-2024-43027 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-06-03 | N/A | 8.0 HIGH |
| DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi. | |||||
| CVE-2025-32813 | 1 Infoblox | 1 Netmri | 2025-06-03 | N/A | 7.2 HIGH |
| An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur. | |||||
| CVE-2024-46256 | 1 Jc21 | 1 Nginx Proxy Manager | 2025-06-03 | N/A | 9.8 CRITICAL |
| A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate. | |||||
| CVE-2024-0579 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-06-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452. Affected by this vulnerability is the function formMapDelDevice of the file /boafrm/formMapDelDevice. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-48842 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi. | |||||
| CVE-2025-5113 | 2025-06-02 | N/A | N/A | ||
| The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used. | |||||
| CVE-2025-4010 | 2025-06-02 | N/A | N/A | ||
| The Netcom NTC 6200 and NWL 222 series expose a web interface to be configured and set up by operators. Multiple endpoints of the web interface are vulnerable to arbitrary command injection and use insecure hardcoded passwords. Remote authenticated attackers can gain arbitrary code execution with elevated privileges. | |||||
| CVE-2024-20287 | 1 Cisco | 2 Wap371, Wap371 Firmware | 2025-06-02 | N/A | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device. | |||||
| CVE-2024-25228 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-02 | N/A | 8.8 HIGH |
| Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php. | |||||
| CVE-2024-57338 | 2025-05-30 | N/A | 6.5 MEDIUM | ||
| An arbitrary file upload vulnerability in M2Soft CROWNIX Report & ERS v5.x to v5.5.14.1070, v7.x to v7.4.3.960, and v8.x to v8.2.0.345 allows attackers to execute arbitrary code via supplying a crafted file. | |||||