Total
4869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41674 | 2025-11-03 | N/A | 7.2 HIGH | ||
| A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic action due to improper neutralization of special elements used in an OS command. | |||||
| CVE-2025-41673 | 2025-11-03 | N/A | 7.2 HIGH | ||
| A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms action due to improper neutralization of special elements used in an OS command. | |||||
| CVE-2025-27804 | 2025-11-03 | N/A | 6.5 MEDIUM | ||
| Several OS command injection vulnerabilities exist in the device firmware in the /var/salia/mqtt.php script. By publishing a specially crafted message to a certain MQTT topic arbitrary OS commands can be executed with root permissions. | |||||
| CVE-2025-43941 | 1 Dell | 1 Unity Operating Environment | 2025-11-03 | N/A | 7.2 HIGH |
| Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary command with root privileges. This vulnerability only affects systems without a valid license install. | |||||
| CVE-2025-43940 | 1 Dell | 1 Unity Operating Environment | 2025-11-03 | N/A | 7.8 HIGH |
| Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges. | |||||
| CVE-2025-43939 | 1 Dell | 1 Unity Operating Environment | 2025-11-03 | N/A | 7.8 HIGH |
| Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges. | |||||
| CVE-2024-4577 | 3 Fedoraproject, Microsoft, Php | 3 Fedora, Windows, Php | 2025-11-03 | N/A | 9.8 CRITICAL |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | |||||
| CVE-2023-25279 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-11-03 | N/A | 9.8 CRITICAL |
| OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload. | |||||
| CVE-2021-40407 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2025-11-03 | 7.5 HIGH | 7.2 HIGH |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2019-3929 | 8 Barco, Blackbox, Crestron and 5 more | 24 Wepresent Wipg-1000p, Wepresent Wipg-1000p Firmware, Wepresent Wipg-1600w and 21 more | 2025-11-03 | 10.0 HIGH | 9.8 CRITICAL |
| The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. | |||||
| CVE-2025-9377 | 1 Tp-link | 6 Archer C7, Archer C7 Firmware, Tl-wr841n and 3 more | 2025-11-03 | N/A | 7.2 HIGH |
| The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es). | |||||
| CVE-2022-44877 | 1 Control-webpanel | 1 Webpanel | 2025-11-03 | N/A | 9.8 CRITICAL |
| login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | |||||
| CVE-2023-25280 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-11-03 | N/A | 9.8 CRITICAL |
| OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp. | |||||
| CVE-2025-54406 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | N/A | 8.8 HIGH |
| Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter. | |||||
| CVE-2025-54405 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | N/A | 8.8 HIGH |
| Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `ipaddr` request parameter. | |||||
| CVE-2025-54404 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | N/A | 8.8 HIGH |
| Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_device_name` request parameter. | |||||
| CVE-2025-54403 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | N/A | 8.8 HIGH |
| Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_password` request parameter. | |||||
| CVE-2025-12296 | 1 Dlink | 2 Dap-2695, Dap-2695 Firmware | 2025-11-03 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in D-Link DAP-2695 2.00RC13. The impacted element is the function sub_4174B0 of the component Firmware Update Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-2909 | 1 Ruijie | 2 Rg-eg350, Rg-eg350 Firmware | 2025-11-03 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability classified as critical was found in Ruijie RG-EG350 up to 20240318. Affected by this vulnerability is the function setAction of the file /itbox_pi/networksafe.php?a=set of the component HTTP POST Request Handler. The manipulation of the argument bandwidth leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257977 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2910 | 1 Ruijie | 2 Rg-eg350, Rg-eg350 Firmware | 2025-11-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Ruijie RG-EG350 up to 20240318. Affected by this issue is the function vpnAction of the file /itbox_pi/vpn_quickset_service.php?a=set_vpn of the component HTTP POST Request Handler. The manipulation of the argument ip/port/user/pass/dns/startIp leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257978 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||