Total
5756 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50393 | 1 Qnap | 2 Qts, Quts Hero | 2025-09-23 | 9.8 Critical |
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later | ||||
| CVE-2024-37678 | 2 Finesoft Project, Hangzhou Meisoft Information Technology | 2 Finesoft, Finesoft | 2025-09-23 | 5.3 Medium |
| Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script. | ||||
| CVE-2021-42081 | 1 Osnexus | 1 Quantastor | 2025-09-22 | 9.1 Critical |
| An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API. POC http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al | ||||
| CVE-2024-38644 | 1 Qnap | 1 Notes Station 3 | 2025-09-20 | 8.8 High |
| An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later | ||||
| CVE-2024-53692 | 1 Qnap | 2 Qts, Quts Hero | 2025-09-20 | 4.7 Medium |
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later | ||||
| CVE-2025-59377 | 1 Feisky | 1 Mcp-kubernetes-server | 2025-09-20 | 3.7 Low |
| feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355. | ||||
| CVE-2025-10442 | 1 Tenda | 4 Ac15, Ac15 Firmware, Ac9 and 1 more | 2025-09-19 | 6.3 Medium |
| A vulnerability was determined in Tenda AC9 and AC15 15.03.05.14. This affects the function formexeCommand of the file /goform/exeCommand. This manipulation of the argument cmdinput causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-22606 | 1 Coollabs | 1 Coolify | 2025-09-19 | 7.8 High |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute arbitrary commands on the host server, which could result in full system compromise; create, modify, or delete sensitive system files; and escalate privileges depending on the permissions of the executed process. Attackers with access to project management features could exploit this flaw to gain unauthorized control over the host environment. Version 4.0.0-beta.359 fixes this issue. | ||||
| CVE-2025-22605 | 1 Coollabs | 1 Coolify | 2025-09-19 | 7.8 High |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on the local Coolify container, gaining access to data and private keys or tokens of other users/teams. The ability to inject malicious commands into the Coolify container gives authenticated attackers the ability to fully retrieve and control the data and availability of the software. Centrally hosted Coolify instances (open registration and/or multiple teams with potentially untrustworthy users) are especially at risk, as sensitive data of all users and connected servers can be leaked by any user. Additionally, attackers are able to modify the running software, potentially deploying malicious images to remote nodes or generally changing its behavior. Version 4.0.0-beta.253 patches this issue. | ||||
| CVE-2025-58763 | 1 Tautulli | 1 Tautulli | 2025-09-18 | 8.1 High |
| Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Tautulli v2.15.3 and prior allows attackers with administrative privileges to obtain remote code execution on the application server. This vulnerability requires the application to have been cloned from GitHub and installed manually. When Tautulli is cloned directly from GitHub and installed manually, the application manages updates and versioning through calls to the `git` command. In the code, this is performed through the `runGit` function in `versioncheck.py`. Since `shell=True` is passed to `subproces.Popen`, this call is vulnerable to subject to command injection, as shell characters within arguments will be passed to the underlying shell. A concrete location where this can be triggered is in the `checkout_git_branch` endpoint. This endpoint stores a user-supplied remote and branch name into the `GIT_REMOTE` and `GIT_BRANCH` configuration keys without sanitization. Downstream, these keys are then fetched and passed directly into `runGit` using a format string. Hence, code execution can be obtained by using `$()` interpolation in a command. Version 2.16.0 contains a fix for the issue. | ||||
| CVE-2025-58180 | 1 Octoprint | 1 Octoprint | 2025-09-18 | 8.8 High |
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact. The vulnerability is patched in version 1.11.3. As a workaround, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders should disable those by setting their `enabled` property to `False` or unchecking the "Enabled" checkbox in the GUI based Event Manager. Alternatively, OctoPrint administrators should set `feature.enforceReallyUniversalFilenames` to `true` in `config.yaml` and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files. As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance. | ||||
| CVE-2023-47415 | 1 Cypress | 2 Ctm-200, Ctm-200 Firmware | 2025-09-18 | 7.5 High |
| Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to contain an OS command injection vulnerability via the cli_text parameter. | ||||
| CVE-2025-54123 | 2 Hoverfly, Spectolabs | 2 Hoverfly, Hoverfly | 2025-09-17 | 9.8 Critical |
| Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API. | ||||
| CVE-2024-35306 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2024-35304 | 2 Artica, Pandorafms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2023-44092 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 7.6 High |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2024-10443 | 1 Synology | 5 Beephotos, Beestation Os, Diskstation Manager and 2 more | 2025-09-16 | 9.8 Critical |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2025-9174 | 1 Neurobin | 1 Shc | 2025-09-15 | 5.3 Medium |
| A vulnerability was determined in neurobin shc up to 4.0.3. This vulnerability affects the function make of the file src/shc.c of the component Filename Handler. Executing manipulation can lead to os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2024-45698 | 1 Dlink | 3 Dir-4860 A1, Dir-x4860, Dir-x4860 Firmware | 2025-09-15 | 9.8 Critical |
| Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device. | ||||
| CVE-2025-58371 | 1 Roocode | 1 Roo Code | 2025-09-15 | 9.8 Critical |
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7. | ||||