Total
3407 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-36786 | 1 Dlink | 2 Dsl-224, Dsl-224 Firmware | 2025-04-29 | 9.9 Critical |
| DLINK - DSL-224 Post-auth RCE. DLINK router version 3.0.8 has an interface where you can configure NTP servers (Network Time Protocol) via jsonrpc API. It is possible to inject a command through this interface that will run with ROOT permissions on the router. | ||||
| CVE-2025-3729 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-04-29 | 7.3 High |
| A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handler. The manipulation of the argument txtdbname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-29209 | 1 Totolink | 2 X18, X18 Firmware | 2025-04-29 | 9.8 Critical |
| TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi. | ||||
| CVE-2024-57036 | 1 Totolink | 2 A810r, A810r Firmware | 2025-04-29 | 8.1 High |
| TOTOLINK A810R V4.1.2cu.5032_B20200407 was found to contain a command insertion vulnerability in downloadFile.cgi main function. This vulnerability allows an attacker to execute arbitrary commands by sending HTTP request. | ||||
| CVE-2022-40282 | 1 Belden | 2 Hirschmann Bat-c2, Hirschmann Bat-c2 Firmware | 2025-04-29 | 8.8 High |
| The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21. | ||||
| CVE-2025-29062 | 1 Lb-link | 2 Bl-ac2100, Bl-ac2100 Firmware | 2025-04-29 | 9.8 Critical |
| An issue in BL-AC2100 <=V1.0.4 allows a remote attacker to execute arbitrary code via the time1 and time2 parameters in the set_LimitClient_cfg of the goahead webservice. | ||||
| CVE-2025-29063 | 1 Lb-link | 2 Bl-ac2100, Bl-ac2100 Firmware | 2025-04-29 | 9.8 Critical |
| An issue in BL-AC2100 V1.0.4 and before allows a remote attacker to execute arbitrary code via the enable parameter passed to /goform/set_hidessid_cfg is not handled properly. | ||||
| CVE-2022-40770 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-04-28 | 7.2 High |
| Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users. | ||||
| CVE-2024-46084 | 1 Scriptcase | 1 Scriptcase | 2025-04-28 | 8 High |
| Scriptcase 9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_unzip function. | ||||
| CVE-2024-44570 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | 8.8 High |
| RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php. | ||||
| CVE-2024-44572 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | 8.8 High |
| RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function. | ||||
| CVE-2024-44574 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | 8.8 High |
| RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function. | ||||
| CVE-2024-44577 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | 8.8 High |
| RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function. | ||||
| CVE-2020-23584 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2025-04-25 | 9.8 Critical |
| Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution. | ||||
| CVE-2020-23583 | 1 Optilinknetwork | 2 Op-xt71000n, Op-xt71000n Firmware | 2025-04-25 | 9.8 Critical |
| OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diag_ping_admin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system. | ||||
| CVE-2022-45462 | 1 Apache | 1 Dolphinscheduler | 2025-04-25 | 9.8 Critical |
| Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher | ||||
| CVE-2022-22984 | 1 Snyk | 8 Snyk Cli, Snyk Cocoapods Cli, Snyk Docker Cli and 5 more | 2025-04-25 | 5 Medium |
| The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605. | ||||
| CVE-2022-36962 | 1 Solarwinds | 1 Orion Platform | 2025-04-25 | 7.2 High |
| SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands. | ||||
| CVE-2022-40746 | 2 Ibm, Microsoft | 2 I Access Client Solutions, Windows | 2025-04-24 | 7.2 High |
| IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236581. | ||||
| CVE-2022-23614 | 3 Debian, Fedoraproject, Symfony | 3 Debian Linux, Fedora, Twig | 2025-04-23 | 8.8 High |
| Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade. | ||||