Total
2296 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27849 | 1 Rails-routes-to-json Project | 1 Rails-routes-to-json | 2025-02-04 | N/A | 9.8 CRITICAL |
| rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | |||||
| CVE-2023-29566 | 2 Dawnsparks-node-tesseract Project, Huedawn-tesseract Project | 2 Dawnsparks-node-tesseract, Huedawn-tesseract | 2025-02-04 | N/A | 9.8 CRITICAL |
| huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | |||||
| CVE-2024-57036 | 2025-02-04 | N/A | 8.1 HIGH | ||
| TOTOLINK A810R V4.1.2cu.5032_B20200407 was found to contain a command insertion vulnerability in downloadFile.cgi main function. This vulnerability allows an attacker to execute arbitrary commands by sending HTTP request. | |||||
| CVE-2024-53290 | 1 Dell | 1 Thinos | 2025-02-04 | N/A | 8.4 HIGH |
| Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Command execution | |||||
| CVE-2024-57583 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-02-04 | N/A | 9.8 CRITICAL |
| Tenda AC18 V15.03.05.19 was discovered to contain a command injection vulnerability via the usbName parameter in the formSetSambaConf function. | |||||
| CVE-2022-40765 | 1 Mitel | 1 Mivoice Connect | 2025-02-04 | N/A | 6.8 MEDIUM |
| A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters. | |||||
| CVE-2024-0740 | 1 Eclipse | 1 Target Management | 2025-02-03 | N/A | 9.8 CRITICAL |
| Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | |||||
| CVE-2024-54660 | 2025-02-03 | N/A | 8.7 HIGH | ||
| A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This could lead to remote code execution. JNDI injection is possible via the JDBC connection property krbJAASFile for the Java Authentication and Authorization Service (JAAS). Using untrusted parameters in the krbJAASFile and/or remote host can trigger JNDI injection in the JDBC URL through the krbJAASFile. | |||||
| CVE-2024-23971 | 2025-01-31 | N/A | 8.8 HIGH | ||
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. | |||||
| CVE-2024-53526 | 2025-01-31 | N/A | 6.4 MEDIUM | ||
| composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function. | |||||
| CVE-2023-22790 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2025-01-31 | N/A | 7.2 HIGH |
| Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2023-22789 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2025-01-31 | N/A | 7.2 HIGH |
| Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2023-32700 | 3 Luatex Project, Miktex, Tug | 3 Luatex, Miktex, Tex Live | 2025-01-31 | N/A | 7.8 HIGH |
| LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5. | |||||
| CVE-2024-25951 | 1 Dell | 1 Idrac8 | 2025-01-31 | N/A | 8.0 HIGH |
| A command injection vulnerability exists in local RACADM. A malicious authenticated user could gain control of the underlying operating system. | |||||
| CVE-2024-45824 | 1 Rockwellautomation | 1 Factorytalk View | 2025-01-31 | N/A | 9.8 CRITICAL |
| CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. | |||||
| CVE-2023-31460 | 1 Mitel | 1 Mivoice Connect | 2025-01-31 | N/A | 7.2 HIGH |
| A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters. | |||||
| CVE-2024-4712 | 2 Microsoft, Papercut | 3 Windows, Papercut Mf, Papercut Ng | 2025-01-30 | N/A | 7.8 HIGH |
| An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the image-handler process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. This can lead to local privilege escalation. Note: This CVE has been split into two (CVE-2024-4712 and CVE-2024-8405) and it’s been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard network users on the host server. | |||||
| CVE-2023-31476 | 1 Gl-inet | 4 Gl-mv1000, Gl-mv1000 Firmware, Gl-mv1000w and 1 more | 2025-01-29 | N/A | 7.5 HIGH |
| An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters (the working directory is /www). | |||||
| CVE-2023-30135 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-01-29 | N/A | 9.8 CRITICAL |
| Tenda AC18 v15.03.05.19(6318_)_cn was discovered to contain a command injection vulnerability via the deviceName parameter in the setUsbUnload function. | |||||
| CVE-2023-26125 | 1 Gin-gonic | 1 Gin | 2025-01-29 | N/A | 5.6 MEDIUM |
| Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic. | |||||