Total
2682 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52337 | 2025-08-20 | 6.5 Medium | ||
| An authenticated arbitrary file upload vulnerability in the Content Explorer feature of LogicData eCommerce Framework v5.0.9.7000 allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2025-50461 | 2025-08-20 | 6.5 Medium | ||
| A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. The script calls torch.load() with weights_only=False on user-supplied .pt files, allowing attackers to execute arbitrary code if a maliciously crafted model file is loaded. An attacker can exploit this by convincing a victim to download and place a malicious model file in a local directory with a specific filename pattern. This vulnerability may lead to arbitrary code execution with the privileges of the user running the script. | ||||
| CVE-2025-50891 | 2025-08-20 | 6.5 Medium | ||
| Adform Site Tracking 1.1 allows attackers to inject HTML or execute arbitrary code via cookie hijacking. | ||||
| CVE-2025-55294 | 2025-08-20 | 9.8 Critical | ||
| screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2. | ||||
| CVE-2025-9149 | 2025-08-20 | 6.3 Medium | ||
| A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-57733 | 2025-08-20 | 5.5 Medium | ||
| In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content | ||||
| CVE-2025-9174 | 2025-08-20 | 5.3 Medium | ||
| A vulnerability was determined in neurobin shc up to 4.0.3. This vulnerability affects the function make of the file src/shc.c of the component Filename Handler. Executing manipulation can lead to os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-9176 | 2025-08-20 | 5.3 Medium | ||
| A security flaw has been discovered in neurobin shc up to 4.0.3. Impacted is the function make of the file src/shc.c of the component Environment Variable Handler. The manipulation results in os command injection. The attack is only possible with local access. The exploit has been released to the public and may be exploited. | ||||
| CVE-2020-13117 | 1 Wavlink | 4 Wn575a4, Wn575a4 Firmware, Wn579x3 and 1 more | 2025-08-19 | 9.8 Critical |
| Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request. | ||||
| CVE-2025-9090 | 1 Tenda | 1 Ac20 | 2025-08-18 | 6.3 Medium |
| A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-55590 | 2025-08-18 | 6.5 Medium | ||
| TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html. | ||||
| CVE-2025-55591 | 2025-08-18 | 9.8 Critical | ||
| TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. | ||||
| CVE-2025-55283 | 2025-08-18 | 9.1 Critical | ||
| aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during a migration from an untrusted source server. The vulnerability stems from psql executing commands embedded in a dump from the source server. This vulnerability is fixed in 1.0.7. | ||||
| CVE-2025-27423 | 2 Netapp, Vim | 2 Hci Compute Node, Vim | 2025-08-18 | 7.1 High |
| Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164 | ||||
| CVE-2025-22941 | 1 Adtran | 2 411, 411 Firmware | 2025-08-18 | 9.8 Critical |
| A command injection vulnerability in the web interface of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | ||||
| CVE-2025-22939 | 1 Adtran | 2 411, 411 Firmware | 2025-08-18 | 9.8 Critical |
| A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands. | ||||
| CVE-2023-42128 | 2 Magnet Forensics, Magnetforensics | 2 Axiom, Axiom | 2025-08-18 | N/A |
| Magnet Forensics AXIOM Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Magnet Forensics AXIOM. User interaction is required to exploit this vulnerability in that the target must acquire data from a malicious mobile device. The specific flaw exists within the Android device image acquisition functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21255. | ||||
| CVE-2025-8956 | 2 D-link, Dlink | 3 Dir-818l, Dir-818l, Dir-818l Firmware | 2025-08-18 | 6.3 Medium |
| A vulnerability was found in D-Link DIR‑818L up to 1.05B01. This issue affects the function getenv of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-9026 | 2 D-link, Dlink | 3 Dir-860l, Dir-860l, Dir-860l Firmware | 2025-08-18 | 7.3 High |
| A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-53945 | 1 Kuwfi | 1 Ac900 Router | 2025-08-16 | 8.8 High |
| The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet). | ||||