Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-25441

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-20 Feb, 2026 | 22:54
Updated At-20 Feb, 2026 | 22:54
Rejected At-
Credits

thesystem 1.0 Command Injection via run_command endpoint

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:20 Feb, 2026 | 22:54
Updated At:20 Feb, 2026 | 22:54
Rejected At:
â–¼CVE Numbering Authority (CNA)
thesystem 1.0 Command Injection via run_command endpoint

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

Affected Products
Vendor
kostasmitroglou
Product
thesystem
Versions
Affected
  • 1.0
Problem Types
TypeCWE IDDescription
CWECWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Sadik Cetin
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.exploit-db.com/exploits/47441
exploit
https://github.com/kostasmitroglou/thesystem
product
https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint
third-party-advisory
Hyperlink: https://www.exploit-db.com/exploits/47441
Resource:
exploit
Hyperlink: https://github.com/kostasmitroglou/thesystem
Resource:
product
Hyperlink: https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint
Resource:
third-party-advisory
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:20 Feb, 2026 | 23:16
Updated At:23 Feb, 2026 | 18:14

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primarydisclosure@vulncheck.com
CWE ID: CWE-78
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/kostasmitroglou/thesystemdisclosure@vulncheck.com
N/A
https://www.exploit-db.com/exploits/47441disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpointdisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/kostasmitroglou/thesystem
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.exploit-db.com/exploits/47441
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1410Records found
CVE-2022-30525
Matching Score-4
Assigner-Zyxel Corporation
ShareView Details
Matching Score-4
Assigner-Zyxel Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.45% / 99.99%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 13:05
Updated-27 Oct, 2025 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-06||Apply updates per vendor instructions.

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-usg_flex_500_firmwarevpn300_firmwareusg20w-vpnvpn50atp100_firmwareatp100w_firmwareatp500_firmwareusg_flex_700_firmwareusg_flex_50w_firmwareatp700_firmwarevpn100atp800usg20w-vpn_firmwareusg_flex_100wusg_flex_200_firmwarevpn100_firmwareusg_flex_700atp100atp200atp800_firmwarevpn300usg_flex_100w_firmwarevpn1000atp200_firmwareusg_flex_500vpn1000_firmwareatp100wusg_flex_200atp700vpn50_firmwareusg_flex_50watp500USG FLEX 200 firmwareUSG FLEX 100(W) firmwareATP series firmwareUSG 20(W)-VPN firmwareUSG FLEX 50(W) firmwareUSG FLEX 500 firmwareVPN series firmwareUSG FLEX 700 firmwareMultiple Firewalls
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-30105
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.44% / 87.24%
||
7 Day CHG~0.00%
Published-18 May, 2022 | 15:52
Updated-03 Aug, 2024 | 06:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.

Action-Not Available
Vendor-n/aBelkin International, Inc.
Product-n300n300_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-11407
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.77%
||
7 Day CHG~0.00%
Published-Not Available
Updated-19 Nov, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A weakness has been identified in D-Link DI-7001 MINI 24.04.18B1. Impacted is an unknown function of the file /upgrade_filter.asp. This manipulation of the argument path causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7001mini-8gdi-7001mini-8g_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-48802
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.97%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 00:00
Updated-05 Jun, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x6000r_firmwarex6000rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29520
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8.1||HIGH
EPSS-1.18% / 78.46%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 16:33
Updated-15 Apr, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An OS command injection vulnerability exists in the console_main_loop :sys functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z. A specially-crafted XCMD can lead to arbitrary command execution. An attacker can send an XML payload to trigger this vulnerability.

Action-Not Available
Vendor-goabodeabode systems, inc.
Product-iota_all-in-one_security_kitiota_all-in-one_security_kit_firmwareiota All-In-One Security Kit
CWE ID-CWE-489
Active Debug Code
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29841
Matching Score-4
Assigner-Western Digital
ShareView Details
Matching Score-4
Assigner-Western Digital
CVSS Score-8||HIGH
EPSS-0.38% / 59.11%
||
7 Day CHG~0.00%
Published-10 May, 2023 | 21:04
Updated-24 Jan, 2025 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection vulnerability in Western Digital My Cloud devices

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119.

Action-Not Available
Vendor-Western Digital Corp.
Product-my_cloud_dl2100wd_cloudmy_cloudmy_cloud_ex4100my_cloud_ex2_ultramy_cloud_mirror_g2my_cloud_pr2100my_cloud_osmy_cloud_dl4100my_cloud_ex2100my_cloud_pr4100My Cloud OS 5
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.31% / 87.01%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 04:45
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.

Action-Not Available
Vendor-npm-dependency-versions_projectn/a
Product-npm-dependency-versionsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-48803
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.97%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 21:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x6000rx6000r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29843
Matching Score-4
Assigner-Western Digital
ShareView Details
Matching Score-4
Assigner-Western Digital
CVSS Score-6.2||MEDIUM
EPSS-0.90% / 75.37%
||
7 Day CHG~0.00%
Published-25 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Western Digital My Cloud OS 5 devices Command Injection Vulnerability

A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user.

Action-Not Available
Vendor-Western Digital Corp.
Product-my_cloud_ex4100_firmwaremy_cloud_pr4100_firmwaremy_cloud_dl2100_firmwaremy_cloud_pr4100my_cloud_dl2100my_cloud_ex4100my_cloud_pr2100my_cloud_ex2_ultramy_cloud_mirror_g2my_cloud_dl4100my_cloud_ex2100my_cloud_mirror_g2_firmwaremy_cloud_ex2100_firmwaremy_cloud_dl4100_firmwaremy_cloud_pr2100_firmwaremy_cloud_ex2_ultra_firmwareMy Cloud
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29516
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.90% / 82.95%
||
7 Day CHG~0.00%
Published-18 May, 2022 | 09:50
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.

Action-Not Available
Vendor-Fujitsu Limited
Product-ipcom_ex_in_2500_firmwareipcom_ex2_lb_3500ipcom_ex_lb_1300_firmwareipcom_ex_lb_2500_firmwareipcom_ex_in_2300_firmwareipcom_ex_nw_1100_firmwareipcom_ex_nw_2300_firmwareipcom_ex_sc_1300_firmwareipcom_ex2_sc_1100_firmwareipcom_ex_lb_1100ipcom_ve2_sc_plus_200ipcom_ex2_lb_1100ipcom_ex2_nw_3200_firmwareipcom_ex2_dc_3200_firmwareipcom_ex2_nw_1100ipcom_ve2_ls_plus_100_firmwareipcom_ex_sc_2500ipcom_ex_sc_2700ipcom_ex_nw_2300ipcom_ex_in_2700_firmwareipcom_ex2_in_3500_firmwareipcom_ve2_ls_plus2_200_firmwareipcom_ve2_ls_200ipcom_ex_lb_2300_firmwareipcom_ex_nw_1100ipcom_ex2_nw_3500_firmwareipcom_ex_nw_2500_firmwareipcom_ex2_sc_3500ipcom_ex2_in_3500ipcom_ex_nw_2700ipcom_ve2_ls_plus_200_firmwareipcom_ve2_sc_plus_200_firmwareipcom_ex2_in_3200_firmwareipcom_ex2_dc_3500ipcom_ex_lb_1300ipcom_ex2_lb_3500_firmwareipcom_ex_lb_2300ipcom_ve2_ls_200_firmwareipcom_ex2_dc_3500_firmwareipcom_ex_in_2300ipcom_ex_sc_1100ipcom_ve2_sc_220_firmwareipcom_ex2_dc_3200ipcom_ex_sc_1300ipcom_ve2_sc_plus_220ipcom_ex_nw_2700_firmwareipcom_ex_lb_2500ipcom_ex_sc_1100_firmwareipcom_ex_sc_2300_firmwareipcom_ve2_ls_100_firmwareipcom_ex2_lb_3200_firmwareipcom_ex2_lb_3200ipcom_ex_sc_2500_firmwareipcom_ex2_lb_1100_firmwareipcom_ex_sc_2300ipcom_ve2_ls_plus_200ipcom_ex2_in_1100ipcom_ve2_ls_220ipcom_ex2_sc_3200ipcom_ex_lb_1100_firmwareipcom_ex2_nw_3200ipcom_ex2_nw_1100_firmwareipcom_ve2_ls_plus_220_firmwareipcom_ex_nw_1300_firmwareipcom_ex_nw_2500ipcom_ve2_ls_plus2_200ipcom_ve2_ls_plus_220ipcom_ex2_in_1100_firmwareipcom_ve2_ls_100ipcom_ve2_sc_200ipcom_ve2_ls_220_firmwareipcom_ex2_sc_3500_firmwareipcom_ve2_sc_plus_100_firmwareipcom_ve2_ls_plus_100ipcom_ex2_sc_1100ipcom_ex2_sc_3200_firmwareipcom_ex_lb_2700ipcom_ve2_sc_100ipcom_ex_lb_2700_firmwareipcom_ex_sc_2700_firmwareipcom_ex_in_2500ipcom_ex2_in_3200ipcom_ve2_ls_plus2_220ipcom_ex_in_2700ipcom_ve2_ls_plus2_220_firmwareipcom_ve2_sc_plus_220_firmwareipcom_ve2_sc_100_firmwareipcom_ex2_nw_3500ipcom_ve2_sc_200_firmwareipcom_ve2_sc_220ipcom_ve2_sc_plus_100ipcom_ex_nw_1300IPCOM EX2 series, IPCOM EX series, IPCOM VE2 series, and IPCOM VA2/VE1 series
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29472
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-1.14% / 78.11%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 16:33
Updated-15 Apr, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An OS command injection vulnerability exists in the web interface util_set_serial_mac functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-goabodeabode systems, inc.
Product-iota_all-in-one_security_kitiota_all-in-one_security_kit_firmwareiota All-In-One Security Kit
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-2686
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-0.15% / 36.01%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 00:02
Updated-23 Feb, 2026 | 10:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SECCN Dingcheng G10 session_login.cgi qq os command injection

A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-SECCN Dingcheng
Product-G10
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29303
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.37% / 99.96%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 15:17
Updated-03 Nov, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-08-03||Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

Action-Not Available
Vendor-contecn/aSolarView
Product-sv-cpt-mc310_firmwaresv-cpt-mc310n/aCompact
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29592
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.19% / 94.23%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 15:51
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_route (called by doSystemCmd_route).

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-tx9_pro_firmwaretx9_pron/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-30.42% / 96.58%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 21:26
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.

Action-Not Available
Vendor-n/aC-DATA Technologies Co., Ltd.
Product-fd702xw-x-r430fd702xw-x-r430_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20711
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 70.39%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 00:20
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aterm WG2600HS firmware Ver1.5.1 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-NEC Corporation
Product-aterm_wg2600hs_firmwareaterm_wg2600hsAterm WG2600HS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28580
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.32% / 95.39%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 17:40
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is found that there is a command injection vulnerability in the setL2tpServerCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28909
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.98% / 92.90%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 13:17
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28578
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.32% / 95.39%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 17:36
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is found that there is a command injection vulnerability in the setOpenVpnCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28906
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.14% / 95.36%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 13:16
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the langtype parameter in /setting/setLanguageCfg.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28571
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.84% / 94.99%
||
7 Day CHG~0.00%
Published-02 May, 2022 | 12:35
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-882_firmwaredir-882n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27804
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-8||HIGH
EPSS-0.76% / 72.96%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 16:33
Updated-15 Apr, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the web interface util_set_abode_code functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-goabodeabode systems, inc.
Product-iota_all-in-one_security_kitiota_all-in-one_security_kit_firmwareiota All-In-One Security Kit
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28911
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-11.27% / 93.37%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 13:17
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/CloudACMunualUpdate.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28584
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.32% / 95.39%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 17:26
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-1497
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-94.36% / 99.96%
||
7 Day CHG-0.03%
Published-06 May, 2021 | 12:41
Updated-28 Oct, 2025 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-11-17||Apply updates per vendor instructions.
Cisco HyperFlex HX Command Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-hyperflex_hx240c_m5hyperflex_hx220c_edge_m5hyperflex_hx240chyperflex_hx220c_af_m5hyperflex_hx220c_all_nvme_m5hyperflex_hx220c_m5hyperflex_hx_data_platformhyperflex_hx240c_af_m5Cisco HyperFlex HX Data PlatformHyperFlex HX
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-48810
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.97%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 21:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x6000rx6000r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28907
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-11.27% / 93.37%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 13:16
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the hosttime function in /setting/NTPSyncWithHost.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28583
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-20.32% / 95.39%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 17:47
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.35% / 87.07%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac3200p_firmwaresbr-ac1200psbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27005
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-45.94% / 97.55%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-12 Sep, 2024 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7000r_firmwarex5000r_firmwarex5000ra7000rn/aa7000r_firmwarex5000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27268
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.79% / 73.50%
||
7 Day CHG~0.00%
Published-10 Apr, 2022 | 20:24
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component get_cgi_from_memory. This vulnerability is triggered via a crafted packet.

Action-Not Available
Vendor-n/aInHand Networks, Inc.
Product-inrouter_900_firmwareinrouter_900n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27271
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.34% / 79.79%
||
7 Day CHG~0.00%
Published-10 Apr, 2022 | 20:23
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component python-lib. This vulnerability is triggered via a crafted packet.

Action-Not Available
Vendor-n/aInHand Networks, Inc.
Product-inrouter_900_firmwareinrouter_900n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27004
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-30.65% / 96.60%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-12 Sep, 2024 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7000r_firmwarex5000r_firmwarex5000ra7000rn/aa7000r_firmwarex5000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27273
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.34% / 79.79%
||
7 Day CHG~0.00%
Published-10 Apr, 2022 | 20:23
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_12168. This vulnerability is triggered via a crafted packet.

Action-Not Available
Vendor-n/aInHand Networks, Inc.
Product-inrouter_900_firmwareinrouter_900n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27269
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 74.46%
||
7 Day CHG~0.00%
Published-10 Apr, 2022 | 20:24
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component config_ovpn. This vulnerability is triggered via a crafted packet.

Action-Not Available
Vendor-n/aInHand Networks, Inc.
Product-inrouter_900_firmwareinrouter_900n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.56% / 92.71%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac1200psbr-ac3200p_firmwaresbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26213
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-31.51% / 96.67%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x5000r_firmwarex5000rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26265
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-72.22% / 98.72%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 22:57
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.

Action-Not Available
Vendor-n/aContao Association
Product-contaon/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25908
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.4||HIGH
EPSS-1.68% / 81.88%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 05:00
Updated-01 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Action-Not Available
Vendor-create-choo-electron_projectn/a
Product-create-choo-electroncreate-choo-electron
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25621
Matching Score-4
Assigner-NEC Corporation
ShareView Details
Matching Score-4
Assigner-NEC Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 76.14%
||
7 Day CHG~0.00%
Published-11 Mar, 2022 | 17:54
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11 and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-NEC Platforms, Ltd.NEC Corporation
Product-univerge_wa2020univerge_wa2611-ap_firmwareuniverge_wa2610-ap_firmwareuniverge_wa1511_firmwareuniverge_wa2611-apuniverge_wa1510_firmwareuniverge_wa1020univerge_wa2612-apuniverge_wa2612-ap_firmwareuniverge_wa2020_firmwareuniverge_wa1510univerge_wa2610-apuniverge_wa1512_firmwareuniverge_wa1512univerge_wa1511univerge_wa2021univerge_wa1020_firmwareuniverge_wa2021_firmwareuniverge_wa2611e-apuniverge_wa2611e-ap_firmwareUNIVERGE DT
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26206
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.34% / 94.90%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setLanguageCfg, via the langType parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26258
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-87.16% / 99.43%
||
7 Day CHG~0.00%
Published-27 Mar, 2022 | 00:00
Updated-03 Nov, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-29||The impacted product is end-of-life and should be disconnected if still in use.

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-820ldir-820l_firmwaren/aDIR-820L
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25860
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.1||HIGH
EPSS-44.53% / 97.48%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 05:00
Updated-01 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Action-Not Available
Vendor-simple-git_projectn/a
Product-simple-gitsimple-git
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-25061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-86.03% / 99.37%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:39
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25168
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.01% / 86.33%
||
7 Day CHG~0.00%
Published-04 Aug, 2022 | 14:30
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Action-Not Available
Vendor-The Apache Software Foundation
Product-hadoopApache Hadoop
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-2487
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-8||HIGH
EPSS-93.12% / 99.78%
||
7 Day CHG~0.00%
Published-20 Jul, 2022 | 11:35
Updated-15 Apr, 2025 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAVLINK WN535K2/WN535K3 nightled.cgi os command injection

A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn535k2_firmwarewl-wn535k2wl-wn535k3wl-wn535k3_firmwareWN535K2WN535K3
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24377
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.4||HIGH
EPSS-1.37% / 79.96%
||
7 Day CHG~0.00%
Published-15 Dec, 2022 | 03:44
Updated-17 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

Action-Not Available
Vendor-cycle-import-check_projectn/a
Product-cycle-import-checkcycle-import-check
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.21%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a830ra830r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25060
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-74.66% / 98.83%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:38
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.21%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a800r_firmwarea800rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 28
  • 29
  • Next
Details not found