Total
5779 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38511 | 2026-04-15 | 7.2 High | ||
| A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | ||||
| CVE-2025-34143 | 2026-04-15 | N/A | ||
| An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583. | ||||
| CVE-2024-25002 | 2026-04-15 | 8.8 High | ||
| Command Injection in the diagnostics interface of the Bosch Network Synchronizer allows unauthorized users full access to the device. | ||||
| CVE-2024-38508 | 1 Lenovo | 1 Xclarity Controller | 2026-04-15 | 7.2 High |
| A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. | ||||
| CVE-2025-34113 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2026-04-15 | N/A |
| An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user. | ||||
| CVE-2025-1038 | 1 Hitachienergy | 1 Tropos | 2026-04-15 | N/A |
| The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device. | ||||
| CVE-2024-28748 | 1 Ifm | 2 Smart Plc Ac14xx Firmware, Smart Plc Ac4xxs Firmware | 2026-04-15 | 7.2 High |
| A remote attacker with high privileges may use a reading file function to inject OS commands. | ||||
| CVE-2024-42370 | 1 Litestar-org | 1 Litestar | 2026-04-15 | 8.3 High |
| Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the `DOCS_PREVIEW_DEPLOY_TOKEN` is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue. | ||||
| CVE-2025-3705 | 2026-04-15 | 6.8 Medium | ||
| A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. | ||||
| CVE-2024-36360 | 1 Keisuke Nakayama | 1 Awkblog | 2026-04-15 | 9.8 Critical |
| OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the affected product on the machine running the product. | ||||
| CVE-2025-2071 | 2026-04-15 | N/A | ||
| A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute arbitrary operating system commands via specially crafted input. This vulnerability arises due to improper handling of untrusted input, which is passed directly to system-level commands without adequate sanitization or validation. Successful exploitation could allow attackers to execute arbitrary commands on the affected system, potentially resulting in unauthorized access, data leakage, or full system compromise. Affected WebUI parameters are "hd" and "pi". | ||||
| CVE-2022-4978 | 2026-04-15 | N/A | ||
| Remote Control Server, maintained by Steppschuh, 3.1.1.12 allows unauthenticated remote code execution when authentication is disabled, which is the default configuration. The server exposes a custom UDP-based control protocol that accepts remote keyboard input events without verification. An attacker on the same network can issue a sequence of keystroke commands to launch a system shell and execute arbitrary commands, resulting in full system compromise. | ||||
| CVE-2024-21531 | 1 Git | 1 Git-shallow-clone | 2026-04-15 | 5.3 Medium |
| All versions of the package git-shallow-clone are vulnerable to Command injection due to missing sanitization or mitigation flags in the process variable of the gitShallowClone function. | ||||
| CVE-2024-3721 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability. | ||||
| CVE-2025-34151 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2026-04-15 | N/A |
| A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution. | ||||
| CVE-2021-4466 | 1 Ipcop | 1 Ipcop | 2026-04-15 | N/A |
| IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise. | ||||
| CVE-2014-125118 | 2026-04-15 | N/A | ||
| A command injection vulnerability exists in the eScan Web Management Console version 5.5-2. The application fails to properly sanitize the 'pass' parameter when processing login requests to login.php, allowing an authenticated attacker with a valid username to inject arbitrary commands via a specially crafted password value. Successful exploitation results in remote code execution. Privilege escalation to root is possible by abusing the runasroot utility with mwconf-level privileges. | ||||
| CVE-2025-1265 | 2026-04-15 | 9.9 Critical | ||
| An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system. | ||||
| CVE-2024-2742 | 2026-04-15 | 6.4 Medium | ||
| Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality. | ||||
| CVE-2025-15389 | 1 Qno Technology | 1 Vpn Firewall | 2026-04-15 | 8.8 High |
| VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | ||||