Filtered by CWE-78
Total 4400 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-29041 1 Dlink 2 Dir-823x, Dir-823x Firmware 2025-05-01 9.8 Critical
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41710c
CVE-2025-29040 1 Dlink 2 Dir-823x, Dir-823x Firmware 2025-05-01 9.8 Critical
An issue in dlink DIR 823x 240802 allows a remote attacker to execute arbitrary code via the target_addr key value and the function 0x41737c
CVE-2023-0830 1 Easynas 1 Easynas 2025-05-01 6.3 Medium
A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
CVE-2022-37900 1 Arubanetworks 12 7005, 7008, 7010 and 9 more 2025-05-01 7.2 High
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
CVE-2025-31692 1 Drupal 1 Artificial Intelligence 2025-05-01 7.5 High
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.
CVE-2022-38387 2 Ibm, Linux 2 Cloud Pak For Security, Linux Kernel 2025-05-01 7.1 High
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 233786.
CVE-2024-27980 2025-04-30 N/A
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
CVE-2022-32212 5 Debian, Fedoraproject, Nodejs and 2 more 7 Debian Linux, Fedora, Node.js and 4 more 2025-04-30 8.1 High
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2024-27516 1 Livehelperchat 2 Live Helper Chat, Livehelperchat 2025-04-30 9.8 Critical
Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34v, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.
CVE-2024-48954 1 Logpoint 2 Logpoint, Siem 2025-04-30 6.4 Medium
An issue was discovered in Logpoint before 7.5.0. Unvalidated input during the EventHub Collector setup by an authenticated user leads to Remote Code execution.
CVE-2022-42053 1 Tenda 2 Ac1200 V-w15ev2, W15e Firmware 2025-04-30 7.8 High
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the PortMappingServer parameter in the setPortMapping function.
CVE-2022-41396 1 Tenda 2 W15e, W15e Firmware 2025-04-30 7.8 High
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain multiple command injection vulnerabilities in the function setIPsecTunnelList via the IPsecLocalNet and IPsecRemoteNet parameters.
CVE-2022-41395 1 Tenda 2 W15e, W15e Firmware 2025-04-30 7.8 High
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the dmzHost parameter in the setDMZ function.
CVE-2022-40847 1 Tenda 2 Ac1200 V-w15ev2, W15e Firmware 2025-04-30 7.8 High
In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), there exists a command injection vulnerability in the function formSetFixTools. This vulnerability allows attackers to run arbitrary commands on the server via the hostname parameter.
CVE-2022-43548 3 Debian, Nodejs, Redhat 5 Debian Linux, Node.js, Enterprise Linux and 2 more 2025-04-30 8.1 High
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
CVE-2021-27102 1 Accellion 1 Fta 2025-04-30 7.8 High
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.
CVE-2021-27104 1 Accellion 1 Fta 2025-04-30 9.8 Critical
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
CVE-2025-1976 1 Broadcom 1 Fabric Operating System 2025-04-30 6.7 Medium
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.
CVE-2025-3729 1 Senior-walter 1 Web-based Pharmacy Product Management System 2025-04-29 7.3 High
A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handler. The manipulation of the argument txtdbname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-9053 1 Vllm-project 1 Vllm 2025-04-29 9.8 Critical
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.