Total
4962 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3621 | 2 Fedoraproject, Redhat | 10 Fedora, Sssd, Enterprise Linux and 7 more | 2025-11-03 | 8.8 High |
| A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2025-50121 | 2025-11-03 | N/A | ||
| A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP when enabled. HTTP is disabled by default. | ||||
| CVE-2025-47780 | 2 Asterisk, Sangoma | 4 Asterisk, Certified Asterisk, Asterisk and 1 more | 2025-11-03 | 7.8 High |
| Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. | ||||
| CVE-2025-44961 | 1 Commscope | 31 Ruckus C110, Ruckus E510, Ruckus H320 and 28 more | 2025-11-03 | 9.9 Critical |
| In RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build, OS command injection can occur via an IP address field provided by an authenticated user. | ||||
| CVE-2025-44960 | 2 Commscope, Ruckus | 32 Ruckus C110, Ruckus E510, Ruckus H320 and 29 more | 2025-11-03 | 8.5 High |
| RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route. | ||||
| CVE-2025-27804 | 2025-11-03 | 6.5 Medium | ||
| Several OS command injection vulnerabilities exist in the device firmware in the /var/salia/mqtt.php script. By publishing a specially crafted message to a certain MQTT topic arbitrary OS commands can be executed with root permissions. | ||||
| CVE-2025-43941 | 1 Dell | 2 Unity, Unity Operating Environment | 2025-11-03 | 7.2 High |
| Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary command with root privileges. This vulnerability only affects systems without a valid license install. | ||||
| CVE-2025-43940 | 1 Dell | 2 Unity, Unity Operating Environment | 2025-11-03 | 7.8 High |
| Dell Unity, version(s) 5.5 and Prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges. | ||||
| CVE-2025-43939 | 1 Dell | 2 Unity, Unity Operating Environment | 2025-11-03 | 7.8 High |
| Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges. | ||||
| CVE-2024-4577 | 4 Fedoraproject, Microsoft, Php and 1 more | 4 Fedora, Windows, Php and 1 more | 2025-11-03 | 9.8 Critical |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | ||||
| CVE-2025-34513 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-11-03 | 9.8 Critical |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2023-25279 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2025-11-03 | 9.8 Critical |
| OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload. | ||||
| CVE-2021-40407 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2025-11-03 | 7.2 High |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. | ||||
| CVE-2019-3929 | 8 Barco, Blackbox, Crestron and 5 more | 24 Wepresent Wipg-1000p, Wepresent Wipg-1000p Firmware, Wepresent Wipg-1600w and 21 more | 2025-11-03 | 9.8 Critical |
| The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. | ||||
| CVE-2025-9377 | 1 Tp-link | 6 Archer C7, Archer C7 Firmware, Tl-wr841n and 3 more | 2025-11-03 | 7.2 High |
| The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es). | ||||
| CVE-2022-44877 | 1 Control-webpanel | 1 Webpanel | 2025-11-03 | 9.8 Critical |
| login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | ||||
| CVE-2023-25280 | 1 Dlink | 3 Dir-820l, Dir-820l Firmware, Dir820la1 Firmware | 2025-11-03 | 9.8 Critical |
| OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp. | ||||
| CVE-2025-54406 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | 8.8 High |
| Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter. | ||||
| CVE-2025-54405 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | 8.8 High |
| Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `ipaddr` request parameter. | ||||
| CVE-2025-54404 | 1 Planet | 2 Wgr-500, Wgr-500 Firmware | 2025-11-03 | 8.8 High |
| Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_device_name` request parameter. | ||||