Total
4963 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12010 | 1 Zyxel | 1 Ax7501-b1 Firmware | 2025-07-13 | 7.2 High |
| A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. | ||||
| CVE-2025-20014 | 1 Myscada | 1 Mypro Manager | 2025-07-13 | 9.8 Critical |
| mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system. | ||||
| CVE-2024-4696 | 1 Lenovo | 1 Service Bridge | 2025-07-12 | 7.5 High |
| A privilege escalation vulnerability was reported in Lenovo Service Bridge prior to version 5.0.2.17 that could allow operating system commands to be executed if a specially crafted link is visited. | ||||
| CVE-2024-5399 | 1 Openfind | 1 Mail2000 | 2025-07-12 | 7.2 High |
| Openfind Mail2000 does not properly filter parameters of specific API. Remote attackers with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the remote server. | ||||
| CVE-2024-12009 | 1 Zyxel | 1 Ex5601-t1 Firmware | 2025-07-12 | 7.2 High |
| A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. | ||||
| CVE-2024-38510 | 1 Lenovo | 1 Xclarity Controller | 2025-07-12 | 7.2 High |
| A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | ||||
| CVE-2024-5400 | 1 Openfind | 1 Mail2000 | 2025-07-12 | 8.8 High |
| Openfind Mail2000 does not properly filter parameters of specific CGI. Remote attackers with regular privileges can exploit this vulnerability to execute arbitrary system commands on the remote server. | ||||
| CVE-2021-47667 | 1 Zend | 1 Zendto | 2025-07-12 | 10 Critical |
| An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request. | ||||
| CVE-2024-38512 | 1 Lenovo | 1 Xclarity Controller | 2025-07-12 | 7.2 High |
| A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. | ||||
| CVE-2024-11253 | 1 Zyxel | 2 Vmg8825-t50k, Vmg8825-t50k Firmware | 2025-07-12 | 7.2 High |
| A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. | ||||
| CVE-2024-27920 | 1 Projectdiscovery | 1 Nuclei | 2025-07-12 | 7.4 High |
| projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. Users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed. | ||||
| CVE-2024-38508 | 1 Lenovo | 1 Xclarity Controller | 2025-07-12 | 7.2 High |
| A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. | ||||
| CVE-2024-57595 | 1 Dlink | 1 Dir-825 | 2025-07-12 | 9.8 Critical |
| DLINK DIR-825 REVB 2.03 devices have an OS command injection vulnerability in the CGl interface apc_client_pin.cgi, which allows remote attackers to execute arbitrary commands via the parameter "wps_pin" passed to the apc_client_pin.cgi binary through a POST request. | ||||
| CVE-2025-1339 | 1 Totolink | 1 X18 | 2025-07-12 | 6.3 Medium |
| A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. This issue affects the function setL2tpdConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-20061 | 1 Myscada | 1 Mypro Manager | 2025-07-12 | 9.8 Critical |
| mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system. | ||||
| CVE-2025-2733 | 1 Mannaandpoem | 1 Openmanus | 2025-07-12 | 6.3 Medium |
| A vulnerability classified as critical has been found in mannaandpoem OpenManus up to 2025.3.13. This affects an unknown part of the file app/tool/python_execute.py of the component Prompt Handler. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-20186 | 1 Cisco | 1 Ios Xe | 2025-07-11 | 8.8 High |
| A vulnerability in the web-based management interface of the Wireless LAN Controller feature of Cisco IOS XE Software could allow an authenticated, remote attacker with a lobby ambassador user account to perform a command injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary Cisco IOS XE Software CLI commands with privilege level 15. Note: This vulnerability is exploitable only if the attacker obtains the credentials for a lobby ambassador account. This account is not configured by default. | ||||
| CVE-2025-20193 | 1 Cisco | 1 Ios Xe | 2025-07-11 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an authenticated, low-privileged, remote attacker to perform an injection attack against an affected device.r This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web-based management interface. A successful exploit could allow the attacker to read files from the underlying operating system. | ||||
| CVE-2025-20194 | 1 Cisco | 1 Ios Xe | 2025-07-11 | 5.4 Medium |
| A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an authenticated, low-privileged, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web-based management interface. A successful exploit could allow the attacker to read limited files from the underlying operating system or clear the syslog and licensing logs on the affected device. | ||||
| CVE-2025-25269 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | 8.4 High |
| An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation. | ||||