Total
2689 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49194 | 2025-07-02 | 7.3 High | ||
| Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile. | ||||
| CVE-2025-37092 | 1 Hpe | 1 Storeonce System | 2025-07-02 | 9.8 Critical |
| A command injection remote code execution vulnerability exists in HPE StoreOnce Software. | ||||
| CVE-2025-5447 | 1 Linksys | 12 Re6250, Re6250 Firmware, Re6300 and 9 more | 2025-07-02 | 6.3 Medium |
| A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been declared as critical. This vulnerability affects the function ssid1MACFilter of the file /goform/ssid1MACFilter. The manipulation of the argument apselect_%d/newap_text_%d leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6897 | 1 Dlink | 2 Di-7300g\+, Di-7300g\+ Firmware | 2025-07-01 | 5.5 Medium |
| A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-26331 | 1 Dell | 12 Latitude 3420, Latitude 3440, Latitude 5440 and 9 more | 2025-07-01 | 7.8 High |
| Dell ThinOS 2411 and prior, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution. | ||||
| CVE-2025-6775 | 2025-06-30 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | ||||
| CVE-2025-6522 | 2025-06-30 | 5.4 Medium | ||
| Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string. | ||||
| CVE-2024-23971 | 1 Chargepoint | 6 Home Flex Hardwired, Home Flex Hardwired Firmware, Home Flex Nema 14-50 Plug and 3 more | 2025-06-30 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. | ||||
| CVE-2024-34338 | 1 Tenda | 3 O3, O3 Firmware, O3v2 | 2025-06-30 | 7.2 High |
| Tenda O3V2 with firmware versions V1.0.0.10 and V1.0.0.12 was discovered to contain a Blind Command Injection via dest parameter in /goform/getTraceroute. This vulnerability allows attackers to execute arbitrary commands with root privileges. Authentication is required to exploit this vulnerability. | ||||
| CVE-2024-48286 | 1 Linksys | 2 E3000, E3000 Firmware | 2025-06-30 | 8 High |
| Linksys E3000 1.0.06.002_US is vulnerable to command injection via the diag_ping_start function. | ||||
| CVE-2024-30220 | 1 Planex | 4 Mzk-mf300hp2, Mzk-mf300hp2 Firmware, Mzk-mf300n and 1 more | 2025-06-30 | 8.8 High |
| Command injection vulnerability in PLANEX COMMUNICATIONS wireless LAN routers allows a network-adjacent unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port. Note that MZK-MF300N is no longer supported, therefore the update for this product is not provided. | ||||
| CVE-2025-6618 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-06-27 | 6.3 Medium |
| A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6619 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-06-27 | 6.3 Medium |
| A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6620 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-06-27 | 6.3 Medium |
| A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6621 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-06-27 | 6.3 Medium |
| A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-1369 | 1 Escanav | 1 Escan Anti-virus | 2025-06-27 | 4.5 Medium |
| A vulnerability classified as critical was found in MicroWord eScan Antivirus 7.0.32 on Linux. Affected by this vulnerability is an unknown functionality of the component USB Password Handler. The manipulation leads to os command injection. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1370 | 1 Escanav | 1 Escan Anti-virus | 2025-06-27 | 5.3 Medium |
| A vulnerability, which was classified as critical, has been found in MicroWorld eScan Antivirus 7.0.32 on Linux. Affected by this issue is the function sprintf of the file epsdaemon of the component Autoscan USB. The manipulation leads to os command injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-52483 | 2025-06-26 | N/A | ||
| Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities) a shell script injection can occur within the `withpasswd` function. Alternatively, an argument injection is possible in the `gettreesha `function. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. All prior versions are vulnerable. No known workarounds are available. | ||||
| CVE-2024-2947 | 1 Redhat | 1 Enterprise Linux | 2025-06-26 | 7.3 High |
| A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | ||||
| CVE-2024-3566 | 7 Golang, Haskell, Microsoft and 4 more | 7 Go, Process Library, Windows and 4 more | 2025-06-25 | 9.8 Critical |
| A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | ||||