Total
2380 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-0789 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-03-21 | 8.1 High |
| Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | ||||
| CVE-2022-40022 | 1 Microchip | 2 Syncserver S650, Syncserver S650 Firmware | 2025-03-21 | 9.8 Critical |
| Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability. | ||||
| CVE-2024-48830 | 2025-03-21 | 7.8 High | ||
| Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | ||||
| CVE-2023-24161 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. | ||||
| CVE-2023-24160 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function. | ||||
| CVE-2024-10190 | 2025-03-20 | N/A | ||
| Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server. | ||||
| CVE-2024-9070 | 2025-03-20 | N/A | ||
| A deserialization vulnerability exists in BentoML's runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution. | ||||
| CVE-2024-10954 | 2025-03-20 | N/A | ||
| In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code execution (RCE) on the app backend server by injecting malicious code through the prompt. | ||||
| CVE-2023-24159 | 1 Totolink | 2 Ca300-poe, Ca300-poe Firmware | 2025-03-20 | 9.8 Critical |
| TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the setPasswordCfg function. | ||||
| CVE-2023-22935 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-03-20 | 8.1 High |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. | ||||
| CVE-2024-6825 | 2025-03-20 | N/A | ||
| BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed. | ||||
| CVE-2023-1389 | 1 Tp-link | 2 Archer Ax21, Archer Ax21 Firmware | 2025-03-19 | 8.8 High |
| TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request. | ||||
| CVE-2019-1000018 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2025-03-19 | 7.8 High |
| rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission. | ||||
| CVE-2023-40396 | 1 Apple | 7 Ios, Ipad Os, Ipados and 4 more | 2025-03-19 | 7.8 High |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2024-35518 | 1 Netgear | 2 Ex6120, Ex6120 Firmware | 2025-03-19 | 8.4 High |
| Netgear EX6120 v1.0.0.68 is vulnerable to Command Injection in genie_fix2.cgi via the wan_dns1_pri parameter. | ||||
| CVE-2024-27981 | 1 Ubiquiti | 1 Unifi Network Application | 2025-03-18 | 9.8 Critical |
| A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network Application Administrator credentials to escalate privileges to root on the host device. Affected Products: UniFi Network Application (Version 8.0.28 and earlier) . Mitigation: Update UniFi Network Application to Version 8.1.113 or later. | ||||
| CVE-2023-24238 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-03-18 | 9.8 Critical |
| TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules. | ||||
| CVE-2023-24236 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-03-18 | 9.8 Critical |
| TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules. | ||||
| CVE-2022-40021 | 1 Qvidium | 2 Amino A140, Amino A140 Firmware | 2025-03-18 | 9.8 Critical |
| QVidium Technologies Amino A140 (prior to firmware version 1.0.0-283) was discovered to contain a command injection vulnerability. | ||||
| CVE-2022-48339 | 2 Gnu, Redhat | 3 Emacs, Enterprise Linux, Rhel Eus | 2025-03-18 | 7.8 High |
| An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. | ||||