Total
2829 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50817 | 1 Python | 1 Python | 2025-09-26 | 5.4 Medium |
| A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code. NOTE: Multiple third parties have disputed this issue and stated that it is not a security flaw in python-future and is a documented feature of Python’s import system in the handling of sys.path. | ||||
| CVE-2025-59831 | 2025-09-26 | N/A | ||
| git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2. | ||||
| CVE-2025-50989 | 1 Opnsense | 1 Opnsense | 2025-09-26 | 9.1 Critical |
| OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations. | ||||
| CVE-2025-52046 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-09-26 | 9.8 Critical |
| Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-55227 | 1 Microsoft | 5 Sql Server, Sql Server 2016, Sql Server 2017 and 2 more | 2025-09-25 | 8.8 High |
| Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-55319 | 1 Microsoft | 1 Visual Studio Code | 2025-09-25 | 8.8 High |
| Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-55911 | 2 Clip-bucket, Oxygenz | 2 Clipbucket, Clipbucket V5 | 2025-09-25 | 6.5 Medium |
| An issue Clip Bucket v.5.5.2 Build#90 allows a remote attacker to execute arbitrary codes via the file_downloader.php and the file parameter | ||||
| CVE-2025-57296 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-09-25 | 6.5 Medium |
| Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device. | ||||
| CVE-2025-29083 | 1 Cszcms | 1 Csz Cms | 2025-09-25 | 6.5 Medium |
| SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file. | ||||
| CVE-2025-20334 | 1 Cisco | 1 Ios Xe Software | 2025-09-25 | 8.8 High |
| A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by authenticating to an affected system and performing an API call with crafted input. Alternatively, an unauthenticated attacker could persuade a legitimate user with administrative privileges who is currently logged in to the system to click a crafted link. A successful exploit could allow the attacker to execute arbitrary commands as the root user. | ||||
| CVE-2024-53700 | 1 Qnap | 1 Qurouter | 2025-09-24 | 7.2 High |
| A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later | ||||
| CVE-2023-23356 | 1 Qnap | 1 Qufirewall | 2025-09-24 | 5.5 Medium |
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QuFirewall 2.3.3 ( 2023/03/27 ) and later and later | ||||
| CVE-2025-45326 | 2025-09-24 | 6.5 Medium | ||
| An issue in PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1 allows remote attackers to execute arbitrary code via the submit_size.php component. | ||||
| CVE-2024-48861 | 1 Qnap | 1 Qurouter | 2025-09-24 | 7.8 High |
| An OS command injection vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local network attackers to execute commands. We have already fixed the vulnerability in the following versions: QuRouter 2.4.4.106 and later | ||||
| CVE-2024-48860 | 1 Qnap | 1 Qurouter | 2025-09-24 | 9.8 Critical |
| An OS command injection vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.3.103 and later | ||||
| CVE-2025-10123 | 2 D-link, Dlink | 3 Dir-823, Dir-823x, Dir-823x Firmware | 2025-09-24 | 7.3 High |
| A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-10634 | 2 D-link, Dlink | 3 Dir-823x, Dir-823x, Dir-823x Firmware | 2025-09-24 | 6.3 Medium |
| A weakness has been identified in D-Link DIR-823X 240126/240802/250416. The impacted element is the function sub_412E7C of the file /usr/sbin/goahead of the component Environment Variable Handler. This manipulation of the argument terminal_addr/server_ip/server_port causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-10814 | 2 D-link, Dlink | 3 Dir-823x, Dir-823x, Dir-823x Firmware | 2025-09-24 | 6.3 Medium |
| A vulnerability was determined in D-Link DIR-823X 240126/240802/250416. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/goahead. This manipulation of the argument port causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-10401 | 2 D-link, Dlink | 3 Dir-823, Dir-823x, Dir-823x Firmware | 2025-09-24 | 6.3 Medium |
| A vulnerability was detected in D-Link DIR-823x up to 250416. The affected element is an unknown function of the file /goform/diag_ping. Performing manipulation of the argument target_addr results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | ||||
| CVE-2025-29887 | 1 Qnap | 1 Qurouter | 2025-09-24 | 7.2 High |
| A command injection vulnerability has been reported to affect QuRouter 2.5.1. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.5.1.060 and later | ||||