Total
5470 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6318 | 1 Lg | 4 Oled48c1pub, Oled55a23la, Oled55cxpua and 1 more | 2025-02-07 | 9.1 Critical |
| A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA | ||||
| CVE-2023-6319 | 1 Lg | 5 Lg43um7000pla, Oled48c1pub, Oled55a23la and 2 more | 2025-02-07 | 9.1 Critical |
| A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA | ||||
| CVE-2023-6320 | 1 Lg | 3 Oled48c1pub, Oled55cxpua, Webos | 2025-02-07 | 9.1 Critical |
| A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB | ||||
| CVE-2023-29805 | 1 Iodata | 4 Wfs-sr03k, Wfs-sr03k Firmware, Wfs-sr03w and 1 more | 2025-02-06 | 9.8 Critical |
| WFS-SR03 v1.0.3 was discovered to contain a command injection vulnerability via the pro_stor_canceltrans_handler_part_19 function. | ||||
| CVE-2023-29804 | 1 Iodata | 4 Wfs-sr03k, Wfs-sr03k Firmware, Wfs-sr03w and 1 more | 2025-02-06 | 8.8 High |
| WFS-SR03 v1.0.3 was discovered to contain a command injection vulnerability via the sys_smb_pwdmod function. | ||||
| CVE-2022-38841 | 1 Linksys | 2 E8450, E8450 Firmware | 2025-02-06 | 8.8 High |
| Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page. | ||||
| CVE-2023-6260 | 1 Brivo | 4 Acs100, Acs100 Firmware, Acs300 and 1 more | 2025-02-05 | 9 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Brivo ACS100, ACS300 allows OS Command Injection, Bypassing Physical Security.This issue affects ACS100 (Network Adjacent Access), ACS300 (Physical Access): from 5.2.4 before 6.2.4.3. | ||||
| CVE-2023-25555 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2025-02-05 | 5.6 Medium |
| A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | ||||
| CVE-2023-28983 | 1 Juniper | 1 Junos Os Evolved | 2025-02-05 | 8.8 High |
| An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Junos OS Evolved allows an authenticated, low privileged, network based attacker to inject shell commands and execute code. This issue affects Juniper Networks Junos OS Evolved 21.4 version 21.4R1-EVO and later versions prior to 22.1R1-EVO. | ||||
| CVE-2023-29412 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2025-02-05 | 9.8 Critical |
| CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface. | ||||
| CVE-2025-24480 | 2025-02-05 | N/A | ||
| A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user. | ||||
| CVE-2023-25759 | 1 Uniguest | 1 Tripleplay | 2025-02-05 | 5.3 Medium |
| OS Command Injection in TripleData Reporting Engine in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated users to run unprivileged OS level commands via a crafted request payload. | ||||
| CVE-2025-24971 | 2025-02-04 | N/A | ||
| DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-30621 | 1 Gipsy Project | 1 Gipsy | 2025-02-04 | 9.8 Critical |
| Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-25507 | 1 Nvidia | 2 Bmc, Dgx-1 | 2025-02-04 | 7.2 High |
| NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering. | ||||
| CVE-2023-27991 | 1 Zyxel | 38 Atp100, Atp100 Firmware, Atp100w and 35 more | 2025-02-04 | 8.8 High |
| The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely. | ||||
| CVE-2024-48008 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | 5.3 Medium |
| Dell RecoverPoint for Virtual Machines 6.0.x contains a OS Command Injection vulnerability. An Low privileged remote attacker could potentially exploit this vulnerability leading to information disclosure ,allowing of unintended actions like reading files that may contain sensitive information | ||||
| CVE-2024-22461 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | 8.8 High |
| Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system. | ||||
| CVE-2024-48890 | 1 Fortinet | 2 Fortisoar, Fortisoar Imap Connector | 2025-02-03 | 6.3 Medium |
| An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted playbook | ||||
| CVE-2024-0740 | 1 Eclipse | 1 Target Management | 2025-02-03 | 9.8 Critical |
| Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | ||||