Total
5757 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59534 | 1 Nasa | 1 Cryptolib | 2025-10-08 | 7.3 High |
| CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.2, there is a command Injection vulnerability in initialize_kerberos_keytab_file_login(). The vulnerability exists because the code directly interpolates user-controlled input into a shell command and executes it via system() without any sanitization or validation. This issue has been patched in version 1.4.2. | ||||
| CVE-2025-10775 | 1 Wavlink | 2 Wl-nu516u1, Wl-nu516u1 Firmware | 2025-10-07 | 4.7 Medium |
| A security vulnerability has been detected in Wavlink WL-NU516U1 240425. This vulnerability affects the function sub_4012A0 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-26389 | 1 Siemens | 4 Ozw672, Ozw672 Firmware, Ozw772 and 1 more | 2025-10-06 | 10 Critical |
| A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does not sanitize the input parameters required for the `exportDiagramPage` endpoint. This could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. | ||||
| CVE-2025-59741 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/CLT/LOGINERRORFRM.ASP'. | ||||
| CVE-2025-59740 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_CAT.ASP'. | ||||
| CVE-2025-59739 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_original.ASP'. | ||||
| CVE-2025-10326 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-02 | 6.3 Medium |
| A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected is an unknown function of the file /htdocs/api/playlist/single.php. Performing manipulation of the argument playlist results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59738 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_BET.ASP'. | ||||
| CVE-2025-10328 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-02 | 6.3 Medium |
| A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/api/playlist/playsinglefile.php. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59737 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_LXA.ASP'. | ||||
| CVE-2025-10358 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 7.3 High |
| A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10359 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 7.3 High |
| A vulnerability was detected in Wavlink WL-WN578W2 221110. This impacts the function sub_404DBC of the file /cgi-bin/wireless.cgi. The manipulation of the argument macAddr results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59736 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_DJO.ASP'. | ||||
| CVE-2025-59735 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM.ASP'. | ||||
| CVE-2025-27262 | 1 Ericsson | 2 Indoor Connect 8855, Indoor Connect 8855 Firmware | 2025-10-02 | 7.8 High |
| Ericsson Indoor Connect 8855 contains a command injection vulnerability which if exploited can result in an escalation of privileges. | ||||
| CVE-2025-43020 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | 6.8 Medium |
| A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update. | ||||
| CVE-2025-9588 | 2 Ironmountain, Linux | 2 Envision, Linux Kernel | 2025-10-02 | 10 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563. | ||||
| CVE-2024-52058 | 1 Rti | 1 Connext Professional | 2025-10-02 | 7.8 High |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext Professional (System Designer) allows OS Command Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.19. | ||||
| CVE-2024-39935 | 1 Jc21 | 1 Nginx Proxy Manager | 2025-10-02 | 8.8 High |
| jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5. | ||||
| CVE-2025-3816 | 1 Westboy | 1 Cicadascms | 2025-10-01 | 4.7 Medium |
| A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||