Total
2590 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-57685 | 1 Sparkshop | 1 Sparkshop | 2025-03-25 | 5.3 Medium |
| An issue in sparkshop v.1.1.7 and before allows a remote attacker to execute arbitrary code via a crafted phar file. | ||||
| CVE-2024-24301 | 1 4ipnet | 2 Eap-767, Eap-767 Firmware | 2025-03-25 | 8.8 High |
| Command Injection vulnerability discovered in 4ipnet EAP-767 device v3.42.00 within the web interface of the device allows attackers with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. | ||||
| CVE-2024-25946 | 1 Dell | 4 Powermax Eem, Solutions Enabler Virtual Appliance, Unisphere For Powermax Virtual Appliance and 1 more | 2025-03-25 | 7.2 High |
| Dell vApp Manager, versions prior to 9.2.4.9 contain a Command Injection Vulnerability. An authorized attacker could potentially exploit this vulnerability leading to an execution of an inserted command. Dell recommends customers to upgrade at the earliest opportunity. | ||||
| CVE-2023-41724 | 1 Ivanti | 2 Sentry, Standalone Sentry | 2025-03-25 | 8.8 High |
| A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. | ||||
| CVE-2022-43550 | 2 Jitsi, Microsoft | 2 Jitsi, Windows | 2025-03-25 | 9.8 Critical |
| A command injection vulnerability exists in Jitsi before commit 8aa7be58522f4264078d54752aae5483bfd854b2 when launching browsers on Windows which could allow an attacker to insert an arbitrary URL which opens up the opportunity to remote execution. | ||||
| CVE-2024-1355 | 1 Github | 1 Enterprise Server | 2025-03-24 | 9.1 Critical |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2022-45104 | 1 Dell | 3 Evasa Provider Virtual Appliance, Solutions Enabler Virtual Appliance, Unisphere For Powermax Virtual Appliance | 2025-03-24 | 8.8 High |
| Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain a command execution vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands on the underlying system. | ||||
| CVE-2023-0776 | 1 Baicells | 8 Neutrino 430, Neutrino 430 Firmware, Nova430e and 5 more | 2025-03-24 | 8.1 High |
| Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce. | ||||
| CVE-2023-0127 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2025-03-24 | 7.8 High |
| A command injection vulnerability in the firmware_update command, in the device's restricted telnet interface, allows an authenticated attacker to execute arbitrary commands as root. | ||||
| CVE-2025-2701 | 2025-03-24 | 6.3 Medium | ||
| A vulnerability classified as critical was found in AMTT Hotel Broadband Operation System 1.0. This vulnerability affects the function popen of the file /manager/network/port_setup.php. The manipulation of the argument SwitchVersion/SwitchWrite/SwitchIP/SwitchIndex/SwitchState leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-0789 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-03-21 | 8.1 High |
| Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | ||||
| CVE-2022-40022 | 1 Microchip | 2 Syncserver S650, Syncserver S650 Firmware | 2025-03-21 | 9.8 Critical |
| Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability. | ||||
| CVE-2024-48830 | 2025-03-21 | 7.8 High | ||
| Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | ||||
| CVE-2023-24161 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. | ||||
| CVE-2023-24160 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function. | ||||
| CVE-2024-10190 | 2025-03-20 | N/A | ||
| Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server. | ||||
| CVE-2024-9070 | 2025-03-20 | N/A | ||
| A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution. | ||||
| CVE-2024-10954 | 2025-03-20 | N/A | ||
| In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code execution (RCE) on the app backend server by injecting malicious code through the prompt. | ||||
| CVE-2023-24159 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the setPasswordCfg function. | ||||
| CVE-2023-22935 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-03-20 | 8.1 High |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. | ||||