Total
2830 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5146 | 2025-05-29 | 6.3 Medium | ||
| A vulnerability has been found in Netcore NBR1005GPEV2, B6V2, COVER5, NAP830, NAP930, NBR100V2 and NBR200V2 up to 20250508 and classified as critical. This vulnerability affects the function passwd_set of the file /usr/bin/routerd of the component HTTP Header Handler. The manipulation of the argument pwd leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-12986 | 1 Draytek | 4 Vigor2960, Vigor2960 Firmware, Vigor300b and 1 more | 2025-05-28 | 7.3 High |
| A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2024-48419 | 1 Edimax | 2 Br-6476ac, Br-6476ac Firmware | 2025-05-28 | 8.8 High |
| Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to inject and execute arbitrary shell commands, with "root" privileges. | ||||
| CVE-2024-46089 | 1 74cms | 1 74cms | 2025-05-28 | 6.3 Medium |
| 74cms <=3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin. | ||||
| CVE-2025-1845 | 1 Esafenet | 1 Dsm | 2025-05-28 | 6.3 Medium |
| A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Affected by this vulnerability is the function examExportPDF of the file /admin/plan/examExportPDF. The manipulation of the argument s leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-49437 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2025-05-28 | 9.8 Critical |
| Tenda AX12 V22.03.01.46 has been discovered to contain a command injection vulnerability in the 'list' parameter at /goform/SetNetControlList. | ||||
| CVE-2023-40301 | 1 Netscout | 1 Ngeniuspulse | 2025-05-28 | 9.8 Critical |
| NETSCOUT nGeniusPULSE 3.8 has a Command Injection Vulnerability. | ||||
| CVE-2022-37881 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-05-28 | 7.2 High |
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): 6.10.x: 6.10.6 and below; 6.9.x: 6.9.11 and below. Aruba has released upgrades for Aruba ClearPass Policy Manager that address these security vulnerabilities. | ||||
| CVE-2022-37879 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-05-28 | 7.2 High |
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): 6.10.x: 6.10.6 and below; 6.9.x: 6.9.11 and below. Aruba has released upgrades for Aruba ClearPass Policy Manager that address these security vulnerabilities. | ||||
| CVE-2025-44835 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2025-05-28 | 6.3 Medium |
| D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in iptablesWebsFilterRun, which allows remote attackers to execute arbitrary commands via shell. | ||||
| CVE-2025-3249 | 1 Totolink | 2 A6000r, A6000r Firmware | 2025-05-28 | 6.3 Medium |
| A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected by this vulnerability is the function apcli_cancel_wps of the file /usr/lib/lua/luci/controller/mtkwifi.lua. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-0528 | 1 Tenda | 6 Ac10, Ac10 Firmware, Ac18 and 3 more | 2025-05-28 | 7.2 High |
| A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2021-4304 | 1 Ulcc-core Project | 1 Ulcc-core | 2025-05-28 | 6.3 Medium |
| A vulnerability was found in eprintsug ulcc-core. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file cgi/toolbox/toolbox. The manipulation of the argument password leads to command injection. The attack can be launched remotely. The patch is named 811edaae81eb044891594f00062a828f51b22cb1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217447. | ||||
| CVE-2025-44864 | 1 Tenda | 2 W20e, W20e Firmware | 2025-05-27 | 6.3 Medium |
| Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the module parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-44865 | 1 Tenda | 2 W20e, W20e Firmware | 2025-05-27 | 6.3 Medium |
| Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the enable parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-44866 | 1 Tenda | 2 W20e, W20e Firmware | 2025-05-27 | 6.3 Medium |
| Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the level parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-44867 | 1 Tenda | 2 W20e, W20e Firmware | 2025-05-27 | 6.3 Medium |
| Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2024-37642 | 1 Trendnet | 2 Tew-814dap, Tew-814dap Firmware | 2025-05-27 | 9.1 Critical |
| TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a command injection vulnerability via the ipv4_ping, ipv6_ping parameter at /formSystemCheck . | ||||
| CVE-2024-38903 | 1 H3c | 2 Magic R230, Magic R230 Firmware | 2025-05-27 | 4.1 Medium |
| H3C Magic R230 V100R002's udpserver opens port 9034, allowing attackers to execute arbitrary commands. | ||||
| CVE-2025-46625 | 1 Tenda | 2 Rx2 Pro, Rx2 Pro Firmware | 2025-05-27 | 8.8 High |
| Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is persistent because the command injection is saved in the configuration of the device. | ||||