Total
2764 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-57234 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function. | |||||
| CVE-2024-57233 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) v1.0.2.26 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function. | |||||
| CVE-2024-57232 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function. | |||||
| CVE-2024-57231 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function. | |||||
| CVE-2024-57230 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function. | |||||
| CVE-2024-57229 | 1 Netgear | 2 Rax50, Rax50 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| NETGEAR RAX5 (AX1600 WiFi Router) V1.0.2.26 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function. | |||||
| CVE-2025-45042 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2025-05-07 | N/A | 9.8 CRITICAL |
| Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. | |||||
| CVE-2024-51186 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-05-07 | N/A | 8.0 HIGH |
| D-Link DIR-820L 1.05b03 was discovered to contain a remote code execution (RCE) vulnerability via the ping_addr parameter in the ping_v4 and ping_v6 functions. | |||||
| CVE-2025-46735 | 2025-05-07 | N/A | N/A | ||
| Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the input variables. This could lead to authenticated command injection in the underlyding powershell command prompt. Version 1.0.5 contains a fix for the issue. | |||||
| CVE-2025-46816 | 2025-05-07 | N/A | 9.4 CRITICAL | ||
| goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. | |||||
| CVE-2025-26262 | 2025-05-07 | N/A | 6.5 MEDIUM | ||
| An issue in the component /internals/functions of R-fx Networks Linux Malware Detect v1.6.5 allows attackers to escalate privileges and execute arbitrary code via supplying a file that contains a crafted filename. | |||||
| CVE-2024-29435 | 1 Alldata | 1 Alldata | 2025-05-07 | N/A | 4.1 MEDIUM |
| An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter. | |||||
| CVE-2025-28017 | 1 Totolink | 2 A800r, A800r Firmware | 2025-05-06 | N/A | 6.5 MEDIUM |
| TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERY_STRING parameter. | |||||
| CVE-2024-22061 | 1 Ivanti | 1 Avalanche | 2025-05-06 | N/A | 9.8 CRITICAL |
| A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | |||||
| CVE-2023-49959 | 1 Indu-sol | 1 Profinet-inspektor Nt | 2025-05-05 | N/A | 9.8 CRITICAL |
| In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands with root privileges via a crafted filename parameter in POST requests to the /api/updater/ctrl/start_update endpoint. | |||||
| CVE-2018-9866 | 1 Sonicwall | 1 Global Management System | 2025-05-05 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code. This vulnerability affected GMS version 8.1 and earlier. | |||||
| CVE-2020-10826 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2025-05-05 | 10.0 HIGH | 9.8 CRITICAL |
| /cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode. | |||||
| CVE-2023-26801 | 1 Lb-link | 8 Bl-ac1900, Bl-ac1900 Firmware, Bl-lte300 and 5 more | 2025-05-05 | N/A | 9.8 CRITICAL |
| LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg. | |||||
| CVE-2022-43109 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-05-05 | N/A | 9.8 CRITICAL |
| D-Link DIR-823G v1.0.2 was found to contain a command injection vulnerability in the function SetNetworkTomographySettings. This vulnerability allows attackers to execute arbitrary commands via a crafted packet. | |||||
| CVE-2025-4076 | 2025-05-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function easy_uci_set_option_string_0 of the file /cgi-bin/lighttpd.cgi of the component Password Handler. The manipulation of the argument routepwd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||