Total
2829 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50891 | 2025-09-18 | 7.2 High | ||
| The server-side backend for Adform Site Tracking before 2025-08-28 allows attackers to inject HTML or execute arbitrary code via cookie hijacking. NOTE: a customer does not need to take any action to update locally installed software (such as Adform Site Tracking 1.1). | ||||
| CVE-2025-59458 | 1 Jetbrains | 1 Junie | 2025-09-18 | 8.3 High |
| In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation | ||||
| CVE-2025-53773 | 2 Github, Microsoft | 3 Copilot, Visual Studio, Visual Studio 2022 | 2025-09-17 | 7.8 High |
| Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-53787 | 1 Microsoft | 3 365, 365 Copilot, 365 Copilot Chat | 2025-09-17 | 8.2 High |
| Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | ||||
| CVE-2025-53774 | 1 Microsoft | 3 365, 365 Copilot, 365 Copilot Chat | 2025-09-17 | 6.5 Medium |
| Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | ||||
| CVE-2024-6333 | 1 Xerox | 4 Altalink Firmware, Versalink Firmware, Workcentre Firmware and 1 more | 2025-09-17 | 7.2 High |
| Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products. | ||||
| CVE-2025-10440 | 2 D-link, Dlink | 6 Di-8003g, Di-8100, Di-8100g and 3 more | 2025-09-17 | 6.3 Medium |
| A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10441 | 1 D-link | 3 Di-8003g, Di-8100g, Di-8200g | 2025-09-17 | 6.3 Medium |
| A vulnerability was found in D-Link DI-8100G, DI-8200G and DI-8003G 17.12.20A1/19.12.10A1. Affected by this issue is the function sub_433F7C of the file version_upgrade.asp of the component jhttpd. The manipulation of the argument path results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2024-12971 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 8.8 High |
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6 | ||||
| CVE-2024-12992 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to 777.6 . | ||||
| CVE-2025-8752 | 2 Spring-shiro-training Project, Xuanshao | 2 Spring-shiro-training, Spring-shiro-training | 2025-09-16 | 7.3 High |
| A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | ||||
| CVE-2025-5306 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778 | ||||
| CVE-2025-56406 | 2 Neo4j, Neo4j-contrib | 2 Neo4j, Mcp-neo4j | 2025-09-16 | 7.5 High |
| An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed). | ||||
| CVE-2024-10443 | 1 Synology | 5 Beephotos, Beestation Os, Diskstation Manager and 2 more | 2025-09-16 | 9.8 Critical |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2025-9174 | 1 Neurobin | 1 Shc | 2025-09-15 | 5.3 Medium |
| A vulnerability was determined in neurobin shc up to 4.0.3. This vulnerability affects the function make of the file src/shc.c of the component Filename Handler. Executing manipulation can lead to os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-7883 | 1 Eluktronics | 1 Control Center | 2025-09-15 | 7.8 High |
| A vulnerability classified as critical has been found in Eluktronics Control Center 5.23.51.41. Affected is an unknown function of the file \AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to command injection. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-53098 | 1 Roocode | 1 Roo Code | 2025-09-15 | 8.1 High |
| Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder. | ||||
| CVE-2025-10364 | 1 Evertz | 1 3080ipx | 2025-09-15 | N/A |
| The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). CVE-2025-4009 covers the command injection in feature-transfer-import.php CVE-2025-10364 covers the command injection in feature-transfer-export.php Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others. | ||||
| CVE-2025-27233 | 2 Microsoft, Zabbix | 4 Windows, Zabbix, Zabbix-agent and 1 more | 2025-09-15 | N/A |
| Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. This can be used to leak the NTLMv2 hash from a Windows system. | ||||
| CVE-2025-52284 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-09-15 | 6.5 Medium |
| Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request. | ||||