Total
4368 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32462 | 1 Dell | 1 Smartfabric Os10 | 2025-04-24 | 9.8 Critical |
| Dell OS10 Networking Switches running 10.5.2.x and above contain an OS command injection vulnerability when using remote user authentication. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands and possible system takeover. This is a critical vulnerability as it allows an attacker to cause severe damage. Dell recommends customers to upgrade at the earliest opportunity. | ||||
| CVE-2023-0011 | 1 U-blox | 10 Toby-l200, Toby-l200 Firmware, Toby-l201 and 7 more | 2025-04-24 | 7.6 High |
| A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands. Exploitation of the vulnerability gives full administrative (root) privileges to the attacker to execute any operating system command on TOBY-L2 which can lead to modification of the behavior of the module itself as well as the components connected with it (depending on its rights on other connected systems). It can further provide the ability to read system level files and hamper the availability of the module as well.. This issue affects TOBY-L2 series: TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280. | ||||
| CVE-2021-36011 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2025-04-23 | 8.3 High |
| Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2021-28571 | 2 Adobe, Microsoft | 2 After Effects, Windows | 2025-04-23 | 8.3 High |
| Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2022-23611 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2025-04-23 | 8.1 High |
| iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize image file paths leading to OS level command injection. This issue has been patched in commit cdcd48b. Users are advised to upgrade. | ||||
| CVE-2022-24753 | 2 Microsoft, Stripe | 2 Windows, Stripe Cli | 2025-04-23 | 7.7 High |
| Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. The update addresses the vulnerability by throwing an error in these situations before the code can run.Users are advised to upgrade to version 1.7.13. There are no known workarounds for this issue. | ||||
| CVE-2025-25067 | 1 Myscada | 1 Mypro | 2025-04-23 | 9.8 Critical |
| mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands. | ||||
| CVE-2022-24796 | 1 Raspberrymatic | 1 Raspberrymatic | 2025-04-23 | 10 Critical |
| RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available. | ||||
| CVE-2022-29256 | 1 Sharp Project | 1 Sharp | 2025-04-23 | 6.5 Medium |
| sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5. | ||||
| CVE-2022-45915 | 1 Ilias | 1 Ilias | 2025-04-23 | 8.8 High |
| ILIAS before 7.16 allows OS Command Injection. | ||||
| CVE-2022-35975 | 1 Weave | 1 Gitops Tools | 2025-04-23 | 9 Critical |
| The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension. | ||||
| CVE-2022-35976 | 1 Weave | 1 Gitops Tools | 2025-04-23 | 5.2 Medium |
| The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user running VSCode. Users relying on kubeconfigs that are generated or altered by other processes or users are affected by this issue. Please note that the vulnerability is specific to this extension, and the same kubeconfig would not result in arbitrary code execution when used with kubectl. Using only trust-worthy kubeconfigs is a safe mitigation. However, updating to the latest version of the extension is still highly recommended. | ||||
| CVE-2023-34127 | 1 Sonicwall | 2 Analytics, Global Management System | 2025-04-23 | 8.8 High |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions. | ||||
| CVE-2022-39321 | 1 Github | 1 Runner | 2025-04-23 | 8.8 High |
| GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable. The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers in versions 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. GHES and GHAE customers may want to patch their instance in order to have their runners automatically upgrade to these new runner versions. As a workaround, users may consider removing any container actions, job containers, or service containers from their jobs until they are able to upgrade their runner versions. | ||||
| CVE-2022-41942 | 1 Sourcegraph | 1 Sourcegraph | 2025-04-23 | 7.9 High |
| Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the `/list-gitolite` endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0. | ||||
| CVE-2024-25082 | 4 Debian, Fedoraproject, Fontforge and 1 more | 4 Debian Linux, Fedora, Fontforge and 1 more | 2025-04-23 | 6.5 Medium |
| Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. | ||||
| CVE-2024-25081 | 4 Debian, Fedoraproject, Fontforge and 1 more | 4 Debian Linux, Fedora, Fontforge and 1 more | 2025-04-23 | 4.2 Medium |
| Splinefont in FontForge through 20230101 allows command injection via crafted filenames. | ||||
| CVE-2023-7002 | 1 Backupbliss | 1 Backup Migration | 2025-04-23 | 7.2 High |
| The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system. | ||||
| CVE-2022-45026 | 1 Markdown Preview Enhanced Project | 1 Markdown Preview Enhanced | 2025-04-23 | 9.8 Critical |
| An issue in Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom allows attackers to execute arbitrary commands during the GFM export process. | ||||
| CVE-2022-45025 | 1 Markdown Preview Enhanced Project | 1 Markdown Preview Enhanced | 2025-04-23 | 9.8 Critical |
| Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom was discovered to contain a command injection vulnerability via the PDF file import function. | ||||