Total
5373 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28507 | 1 Idno | 1 Idno | 2026-03-06 | N/A |
| Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4. | ||||
| CVE-2026-29058 | 1 Wwbn | 1 Avideo-encoder | 2026-03-06 | 9.8 Critical |
| AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0. | ||||
| CVE-2026-26279 | 1 Froxlor | 1 Froxlor | 2026-03-05 | 9.1 Critical |
| Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4. | ||||
| CVE-2026-25857 | 1 Tenda | 3 G300-f, G300-f Firmware, Rx9 Pro Firmware | 2026-03-05 | 8.8 High |
| Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. | ||||
| CVE-2026-2131 | 1 Xixianliang | 2 Harmonyos-mcp-server, Harmonyos Mcp Server | 2026-03-05 | 6.3 Medium |
| A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2026-26478 | 1 Mobvoi | 3 Tichome Mini, Tichome Mini Firmware, Tichome Mini Smart Speaker | 2026-03-05 | 9.8 Critical |
| A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account. | ||||
| CVE-2026-27441 | 1 Seppmail | 2 Seppmail, Seppmail Secure Email Gateway | 2026-03-05 | 9.8 Critical |
| SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution. | ||||
| CVE-2025-59783 | 1 2n | 1 Access Commander | 2026-03-05 | 7.2 High |
| API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges. | ||||
| CVE-2021-47745 | 1 Cypress | 1 Ctm-200 | 2026-03-05 | 8.8 High |
| Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges. | ||||
| CVE-2026-20008 | 1 Cisco | 2 Adaptive Security Appliance Software, Secure Firewall Threat Defense | 2026-03-05 | 6 Medium |
| A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials. | ||||
| CVE-2013-10039 | 1 Gestioip | 1 Gestioip | 2026-03-05 | N/A |
| A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ip_checkhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deployment configuration. | ||||
| CVE-2025-34319 | 1 Totolink | 2 N300rt, N300rt Firmware | 2026-03-05 | N/A |
| TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter. | ||||
| CVE-2025-34132 | 1 Tvt | 1 Dvr Firmware | 2026-03-05 | N/A |
| A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. | ||||
| CVE-2025-34129 | 1 Tvt | 1 Dvr Firmware | 2026-03-05 | N/A |
| A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This vulnerability was exploited in the wild by the Moobot botnets. | ||||
| CVE-2025-34115 | 1 Op5 | 1 Monitor | 2026-03-05 | N/A |
| An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0. | ||||
| CVE-2025-34101 | 1 Plex | 1 Media Server Firmware | 2026-03-05 | N/A |
| An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls. | ||||
| CVE-2024-58338 | 1 Ateme | 2 Flamingo Xl, Flamingo Xl Firmware | 2026-03-05 | 10 Critical |
| Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment. | ||||
| CVE-2024-58287 | 1 Yogeshojha | 1 Rengine | 2026-03-05 | 8.8 High |
| reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration. | ||||
| CVE-2024-14010 | 1 Typora | 1 Typora | 2026-03-05 | 9.8 Critical |
| Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution. | ||||
| CVE-2023-53981 | 2 Roxio, Thibaud-rohmer | 2 Photoshow, Photoshow | 2026-03-05 | 7.2 High |
| PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | ||||