Total
4578 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40719 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-04-01 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd_generic.lua plugin for the xupnpd service, which listens on TCP port 4044 by default. When parsing the feed parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15906. | ||||
| CVE-2022-40720 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-04-01 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the router. Was ZDI-CAN-15935. | ||||
| CVE-2022-42492 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2025-04-01 | 9.8 Critical |
| Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_AD command. | ||||
| CVE-2022-42493 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2025-04-01 | 9.8 Critical |
| Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command. | ||||
| CVE-2022-40222 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2025-04-01 | 9.8 Critical |
| An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability. | ||||
| CVE-2025-22366 | 2025-04-01 | N/A | ||
| The authenticated firmware update capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS. | ||||
| CVE-2025-22368 | 2025-04-01 | N/A | ||
| The authenticated SCU firmware command of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS commands are improperly neutralized when certain fields are passed to the underlying OS. | ||||
| CVE-2025-22367 | 2025-04-01 | N/A | ||
| The authenticated time setting capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS. | ||||
| CVE-2022-42491 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2025-03-31 | 9.8 Critical |
| Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's M2M_CONFIG_SET command | ||||
| CVE-2022-37061 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-03-31 | 9.8 Critical |
| All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. | ||||
| CVE-2024-25468 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-03-28 | 7.5 High |
| An issue in TOTOLINK X5000R V.9.1.0u.6369_B20230113 allows a remote attacker to cause a denial of service via the host_time parameter of the NTPSyncWithHost component. | ||||
| CVE-2022-40220 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2025-03-28 | 8.8 High |
| An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | ||||
| CVE-2024-57687 | 1 Phpgurukul | 1 Land Record System | 2025-03-28 | 9.8 Critical |
| An OS Command Injection vulnerability was found in /landrecordsys/admin/dashboard.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the "Cookie" GET request parameter. | ||||
| CVE-2025-25039 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-03-28 | 4.7 Medium |
| A vulnerability in the web-based management interface of HPE Aruba Networking ClearPass Policy Manager (CPPM) allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system. | ||||
| CVE-2024-54181 | 2 Ibm, Linux | 2 Websphere Automation, Linux Kernel | 2025-03-28 | 7.2 High |
| IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system. | ||||
| CVE-2022-48108 | 1 Dlink | 2 Dir 878, Dir 878 Firmware | 2025-03-28 | 9.8 Critical |
| D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /SetNetworkSettings/SubnetMask. This vulnerability allows attackers to escalate privileges to root via a crafted payload. | ||||
| CVE-2022-48107 | 1 Dlink | 2 Dir 878, Dir 878 Firmware | 2025-03-28 | 9.8 Critical |
| D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted payload. | ||||
| CVE-2022-48072 | 1 Phicomm | 2 K2, K2 Firmware | 2025-03-28 | 7.8 High |
| Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | ||||
| CVE-2022-48070 | 1 Phicomm | 2 K2, K2 Firmware | 2025-03-28 | 7.8 High |
| Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function. | ||||
| CVE-2022-48069 | 1 Totolink | 2 A830r, A830r Firmware | 2025-03-28 | 7.5 High |
| Totolink A830R V4.1.2cu.5182 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter. | ||||