Total
2829 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7836 | 2 D-link, Dlink | 3 Dir-816l, Dir-816l, Dir-816l Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-56769 | 1 Hutool | 1 Hutool | 2025-10-03 | 6.5 Medium |
| An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. | ||||
| CVE-2025-29155 | 1 Smartbear | 1 Swagger Petstore | 2025-10-03 | 6.5 Medium |
| An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via the DELETE endpoint | ||||
| CVE-2025-10689 | 2 D-link, Dlink | 3 Dir-645, Dir-645, Dir-645 Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability was identified in D-Link DIR-645 105B01. This issue affects the function soapcgi_main of the file /soap.cgi. Such manipulation of the argument service leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-57293 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2025-10-03 | 8.8 High |
| A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET§ion=multi_pppoe. When the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise. | ||||
| CVE-2025-4008 | 1 Smartbedded | 2 Meteobridge Firmware, Meteobridge Vm | 2025-10-03 | 8.8 High |
| The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. | ||||
| CVE-2025-11121 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-10-03 | 6.3 Medium |
| A security vulnerability has been detected in Tenda AC18 15.03.05.19. The impacted element is an unknown function of the file /goform/AdvSetLanip. The manipulation of the argument lanIp leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-1497 | 1 Mljar | 1 Plotai | 2025-10-03 | 9.8 Critical |
| A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability. | ||||
| CVE-2024-3659 | 2 Kaongroup, Kaonmedia | 3 Ar2140, Ar2140 Firmware, Ar2140 Firmware | 2025-10-03 | 7.2 High |
| Firmware in KAONÂ AR2140 routers prior to version 4.2.16 is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router. | ||||
| CVE-2025-50756 | 1 Wavlink | 2 Wn535k3, Wn535k3 Firmware | 2025-10-03 | 9.8 Critical |
| Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-59741 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/CLT/LOGINERRORFRM.ASP'. | ||||
| CVE-2025-59740 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_CAT.ASP'. | ||||
| CVE-2025-59739 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_original.ASP'. | ||||
| CVE-2025-10325 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 6.3 Medium |
| A vulnerability was identified in Wavlink WL-WN578W2 221110. This impacts the function sub_401340/sub_401BA4 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10326 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-02 | 6.3 Medium |
| A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected is an unknown function of the file /htdocs/api/playlist/single.php. Performing manipulation of the argument playlist results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10327 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-02 | 6.3 Medium |
| A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/api/playlist/shuffle.php. Executing manipulation of the argument playlist can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59738 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_BET.ASP'. | ||||
| CVE-2025-10328 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2025-10-02 | 6.3 Medium |
| A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/api/playlist/playsinglefile.php. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59737 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_LXA.ASP'. | ||||
| CVE-2025-10358 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 7.3 High |
| A security vulnerability has been detected in Wavlink WL-WN578W2 221110. This affects the function sub_404850 of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||