Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-41642

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-05 Dec, 2022 | 00:00
Updated At-24 Apr, 2025 | 14:32
Rejected At-
Credits

OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.61 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:05 Dec, 2022 | 00:00
Updated At:24 Apr, 2025 | 14:32
Rejected At:
▼CVE Numbering Authority (CNA)

OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.61 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.

Affected Products
Vendor
kujirahand
Product
Nadesiko3 (PC Version)
Versions
Affected
  • v3.3.61 and earlier
Problem Types
TypeCWE IDDescription
textN/AOS Command Injection
Type: text
CWE ID: N/A
Description: OS Command Injection
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/kujirahand/nadesiko3/issues/1325
N/A
https://github.com/kujirahand/nadesiko3/issues/1347
N/A
https://jvn.jp/en/jp/JVN56968681/index.html
N/A
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1325
Resource: N/A
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1347
Resource: N/A
Hyperlink: https://jvn.jp/en/jp/JVN56968681/index.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/kujirahand/nadesiko3/issues/1325
x_transferred
https://github.com/kujirahand/nadesiko3/issues/1347
x_transferred
https://jvn.jp/en/jp/JVN56968681/index.html
x_transferred
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1325
Resource:
x_transferred
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1347
Resource:
x_transferred
Hyperlink: https://jvn.jp/en/jp/JVN56968681/index.html
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:05 Dec, 2022 | 04:15
Updated At:24 Apr, 2025 | 15:15

OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.61 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

kujirahand
kujirahand
>>nadesiko3>>Versions up to 3.3.68(inclusive)
cpe:2.3:a:kujirahand:nadesiko3:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/kujirahand/nadesiko3/issues/1325vultures@jpcert.or.jp
Issue Tracking
Patch
Third Party Advisory
https://github.com/kujirahand/nadesiko3/issues/1347vultures@jpcert.or.jp
Issue Tracking
Patch
Third Party Advisory
https://jvn.jp/en/jp/JVN56968681/index.htmlvultures@jpcert.or.jp
Third Party Advisory
https://github.com/kujirahand/nadesiko3/issues/1325af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Patch
Third Party Advisory
https://github.com/kujirahand/nadesiko3/issues/1347af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Patch
Third Party Advisory
https://jvn.jp/en/jp/JVN56968681/index.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1325
Source: vultures@jpcert.or.jp
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1347
Source: vultures@jpcert.or.jp
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://jvn.jp/en/jp/JVN56968681/index.html
Source: vultures@jpcert.or.jp
Resource:
Third Party Advisory
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1325
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/kujirahand/nadesiko3/issues/1347
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://jvn.jp/en/jp/JVN56968681/index.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1603Records found

CVE-2022-42496
Matching Score-10
Assigner-JPCERT/CC
ShareView Details
Matching Score-10
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-2.07% / 79.09%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.

Action-Not Available
Vendor-kujirahandkujirahand
Product-nadesiko3Nako3edit, editor component of nadesiko3 (PC Version)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-20720
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.32% / 67.32%
||
7 Day CHG~0.00%
Published-20 May, 2021 | 01:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 allows remote attackers to execute arbitrary SQL commands and to obtain/alter the information stored in the database via unspecified vectors.

Action-Not Available
Vendor-kujirahandkujirahand
Product-konawikiKonaWiki2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-20721
Matching Score-8
Assigner-JPCERT/CC
ShareView Details
Matching Score-8
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.52% / 71.56%
||
7 Day CHG~0.00%
Published-20 May, 2021 | 01:15
Updated-03 Aug, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

KonaWiki2 versions prior to 2.2.4 allows a remote attacker to upload arbitrary files via unspecified vectors. If the file contains PHP scripts, arbitrary code may be executed.

Action-Not Available
Vendor-kujirahandkujirahand
Product-konawikiKonaWiki2
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-55037
Matching Score-6
Assigner-JPCERT/CC
ShareView Details
Matching Score-6
Assigner-JPCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-2.72% / 84.22%
||
7 Day CHG~0.00%
Published-05 Sep, 2025 | 05:24
Updated-05 Sep, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

Action-Not Available
Vendor-kujirahand
Product-TkEasyGUI
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-42757
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.30% / 66.96%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-n/art-n15u_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-42978
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 65.29%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-25 Mar, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-fh1206fh1206_firmwaren/afh1206_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-42737
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.68% / 74.08%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 00:00
Updated-13 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in delBlacklist. Authenticated Attackers can send malicious packet to execute arbitrary commands.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x5000r_firmwarex5000rn/ax5000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-28440
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.94%
||
7 Day CHG~0.00%
Published-11 Dec, 2020 | 16:55
Updated-16 Sep, 2024 | 22:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.

Action-Not Available
Vendor-corenlp-js-interface_projectn/a
Product-corenlp-js-interfacecorenlp-js-interface
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-2131
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-1.73% / 74.78%
||
7 Day CHG~0.00%
Published-20 Apr, 2023 | 20:40
Updated-16 Jan, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-2131

Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code.

Action-Not Available
Vendor-ineaINEA
Product-me_rtume_rtu_firmwareME RTU
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-17558
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.51% / 82.82%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 00:00
Updated-11 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

Action-Not Available
Vendor-abusn/aabus
Product-tvip_11552tvip_20050_firmwaretvip_10051tvip_21551_firmwaretvip_31500tvip_11502_firmwaretvip_51550tvip_21501_firmwaretvip_31550_firmwaretvip_51500_firmwaretvip_10050_firmwaretvip_20500tvip_10001_firmwaretvip_22500tvip_21502tvip_21000tvip_51550_firmwaretvip_21552tvip_10055b_firmwaretvip_32500_firmwaretvip_71550_firmwaretvip_21502_firmwaretvip_20550tvip_31501tvip_10005btvip_10000_firmwaretvip_20050tvip_72500_firmwaretvip_10500_firmwaretvip_71550tvip_10050tvip_10055atvip_11550_firmwaretvip_20550_firmwaretvip_11551_firmwaretvip_71551_firmwaretvip_71500_firmwaretvip_11552_firmwaretvip_31501_firmwaretvip_72500tvip_51500tvip_10005a_firmwaretvip_31000_firmwaretvip_31551tvip_10000tvip_20500_firmwaretvip_11502tvip_71501_firmwaretvip_11501tvip_10550tvip_31001tvip_31050tvip_11050tvip_71501tvip_21500_firmwaretvip_10051_firmwaretvip_11050_firmwaretvip_10055btvip_10500tvip_22500_firmwaretvip_31550tvip_11500_firmwaretvip_21552_firmwaretvip_11000tvip_11550tvip_20000_firmwaretvip_31050_firmwaretvip_11551tvip_10005atvip_31000tvip_32500tvip_21550tvip_10005_firmwaretvip_21551tvip_21050tvip_10005b_firmwaretvip_10001tvip_10550_firmwaretvip_21501tvip_31001_firmwaretvip_31551_firmwaretvip_71551tvip_21000_firmwaretvip_21550_firmwaretvip_20000tvip_11000_firmwaretvip_31500_firmwaretvip_10055a_firmwaretvip_11500tvip_11501_firmwaretvip_71500tvip_10005tvip_21500tvip_21050_firmwaren/atvip_72500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2026-8666
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-7.7||HIGH
EPSS-0.68% / 47.72%
||
7 Day CHG+0.12%
Published-25 Jun, 2026 | 01:35
Updated-29 Jun, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in Rapid7 InsightConnect Traceroute Plugin

OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host, port, max_ttl, count, or time_out request parameters due to insufficient input validation when constructing shell commands.

Action-Not Available
Vendor-Linux Kernel Organization, IncRapid7 LLC
Product-linux_kernelinsightconnect_tracerouteInsightConnect Traceroute Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-41622
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.03% / 78.70%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 00:00
Updated-30 Aug, 2024 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the tomography_ping_address parameter in /HNAP1/ interface.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-846w_firmwaredir-846wn/adir-846w_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-1350
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-2.38% / 81.90%
||
7 Day CHG~0.00%
Published-11 Mar, 2023 | 08:20
Updated-02 Aug, 2024 | 05:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
liferea Feed Enrichment update.c update_job_run os command injection

A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.

Action-Not Available
Vendor-liferea_projectn/a
Product-liferealiferea
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-1698
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-9.8||CRITICAL
EPSS-81.91% / 99.61%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 08:51
Updated-23 Jan, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAGO: WBM Command Injection in multiple products

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

Action-Not Available
Vendor-wagoWAGO
Product-compact_controller_100_firmwarepfc200_firmwaretouch_panel_600_advanced_firmwaretouch_panel_600_marine_firmwaretouch_panel_600_standardtouch_panel_600_advancedcompact_controller_100edge_controllertouch_panel_600_standard_firmwarepfc200edge_controller_firmwarepfc100_firmwarepfc100touch_panel_600_marinePFC100Compact Controller CC100PFC200Edge ControllerTouch Panel 600 Standard LineTouch Panel 600 Advanced LineTouch Panel 600 Marine Line
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-29311
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.29% / 92.74%
||
7 Day CHG~0.00%
Published-10 Dec, 2020 | 21:38
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.

Action-Not Available
Vendor-ubillingn/a
Product-ubillingn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-0935
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-4.78% / 90.83%
||
7 Day CHG~0.00%
Published-21 Feb, 2023 | 09:19
Updated-12 Mar, 2025 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DolphinPHP Incomplete Fix CVE-2021-46097 common.php os command injection

A vulnerability was found in DolphinPHP up to 1.5.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file common.php of the component Incomplete Fix CVE-2021-46097. The manipulation of the argument id leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221551.

Action-Not Available
Vendor-dolphinphp_projectn/a
Product-dolphinphpDolphinPHP
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-14839
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-89.35% / 99.77%
||
7 Day CHG~0.00%
Published-14 May, 2019 | 20:01
Updated-07 Nov, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.

Action-Not Available
Vendor-n/aLG Electronics Inc.
Product-n1a1_firmwaren1a1n/aN1A1 NAS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-14558
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.67% / 94.48%
||
7 Day CHG~0.00%
Published-30 Oct, 2018 | 18:00
Updated-07 Nov, 2025 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ac10_firmwareac10ac7_firmwareac7ac9_firmwareac9n/aAC7, AC9, and AC10 Routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-9862
Matching Score-4
Assigner-Fortra, LLC
ShareView Details
Matching Score-4
Assigner-Fortra, LLC
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 54.23%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 15:10
Updated-15 Jun, 2026 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability

Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

Action-Not Available
Vendor-Fortra LLC
Product-Core Privileged Access Manager (BoKS)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-15310
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.26% / 94.23%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 19:18
Updated-05 Aug, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled.

Action-Not Available
Vendor-linkplayn/a
Product-linkplayn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-28424
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.2||HIGH
EPSS-0.69% / 48.11%
||
7 Day CHG~0.00%
Published-02 Aug, 2022 | 13:27
Updated-16 Sep, 2024 | 22:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package s3-kilatstorage.

Action-Not Available
Vendor-s3-kilatstorage_projectn/a
Product-s3-kilatstorages3-kilatstorage
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-50794
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-3.26% / 86.88%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 22:41
Updated-13 Jan, 2026 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Command Injection via Username

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to execute system commands.

Action-Not Available
Vendor-sound4SOUND4 Ltd.Kantar Media
Product-wm2_firmwarepulse_eco_firmwareimpact_ecowm2pulseimpact_eco_firmwarefirstimpact_firmwarebig_voice2_firmwarefirst_firmwarepulse_ecostream_extensionimpactpulse_firmwarebig_voice4_firmwarebig_voice2big_voice4Impact/Pulse/FirstBigVoice4StreamWM2Impact/Pulse EcoBigVoice2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-50596
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-4.12% / 89.55%
||
7 Day CHG+0.47%
Published-06 Nov, 2025 | 19:58
Updated-14 May, 2026 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-1260 <= v1.20B05 GetDeviceSettings Unauthenticated Command Injection

D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet.

Action-Not Available
Vendor-D-Link CorporationSuiteCRM Ltd.
Product-dir-1260_firmwaredir-1260DIR-1260
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.18%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 00:00
Updated-15 Aug, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.

Action-Not Available
Vendor-gl-inetn/agl-inet
Product-mt3000usb150sft1200xe3000_firmwarear300mar300m16_firmwareb2200xe300x750mt1300e750_firmwaresft1200_firmwaremt300n-v2_firmwarea1300ar300m_firmwaree750b1300_firmwares1300x3000mt3000_firmwarear750sx300b_firmwaren300_firmwarear750xe300_firmwareax1800_firmwares1300_firmwarear300m16n300mv1000_firmwaremt2500_firmwareap1300ar750s_firmwareb2200_firmwarex300bmt1300_firmwaremt2500ax1800a1300_firmwaresf1200_firmwaremv1000w_firmwareap1300_firmwaremt6000_firmwaremv1000mt6000b1300mv1000waxt1800_firmwareusb150_firmwaremt300n-v2xe3000sf1200x3000_firmwarex750_firmwareaxt1800ar750_firmwaren/amv1000_firmwaremt2500_firmwarear750s_firmwareb2200_firmwarear300m16_firmwaregl-mt6000_firmwaremt1300_firmwarea1300_firmwaree750_firmwaresf1200_firmwaresft1200_firmwaremv1000w_firmwaremt300n-v2_firmwareap1300_firmwarex750_firmwarear300m_firmwareb1300_firmwareusb150_firmwaremt3000_firmwarex300b_firmwarexe300_firmwaren300_firmwarex3000_firmwares1300_firmwareax1800_firmwarear750_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39686
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.18% / 63.93%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 15:16
Updated-11 Sep, 2024 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py bert_gen function

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.

Action-Not Available
Vendor-fishaudioFishAudiofishaudio
Product-bert-vits2Bert-VITS2bert-vits2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-8665
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-7.7||HIGH
EPSS-0.68% / 47.72%
||
7 Day CHG+0.12%
Published-25 Jun, 2026 | 01:12
Updated-29 Jun, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in Rapid7 InsightConnect Translate Plugin

OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction.

Action-Not Available
Vendor-Linux Kernel Organization, IncRapid7 LLC
Product-linux_kernelinsightconnect_translateInsightConnect TR Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-50919
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-1.19% / 64.19%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-05 Mar, 2026 | 01:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tdarr 2.00.15 - Command Injection

Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication.

Action-Not Available
Vendor-tdarrTdarr
Product-tdarrTdarr
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39685
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.12% / 62.11%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 15:13
Updated-11 Sep, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py resample function

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the resample function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.

Action-Not Available
Vendor-fish.audioFishAudiofishaudio
Product-bert-vits2Bert-VITS2bert-vits2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-50691
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-1.26% / 66.06%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 22:41
Updated-14 May, 2026 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MiniDVBLinux 5.4 Remote Root Command Execution via commands.sh

MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access.

Action-Not Available
Vendor-minidvblinuxMiniDVBLinux
Product-minidvblinuxMiniDVBLinux
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-9475
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-1.91% / 77.29%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 16:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-TOTOLINK
Product-A8000RU
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48122
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-0297
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-3.83% / 88.83%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 04:31
Updated-12 May, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Totolink N200RE cstecgi.cgi UploadFirmwareFile os command injection

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249863. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-n200re_firmwaren200reN200RE
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48107
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.11% / 86.21%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted payload.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir_878dir_878_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48121
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the rsabits parameter in the setting/delStaticDhcpRules function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48472
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-9.8||CRITICAL
EPSS-1.07% / 60.87%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 12:54
Updated-17 Dec, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution. Affected product versions include:BiSheng-WNM versions OTA-BiSheng-FW-2.0.0.211-beta,BiSheng-WNM FW 3.0.0.325,BiSheng-WNM FW 2.0.0.211.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-ota-bisheng_firmwarebisheng-wnm_firmwarebisheng-wnmBiSheng-WNM
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-9543
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-2.13% / 79.76%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 12:30
Updated-26 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection

A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-N300RH
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48124
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48123
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-47853
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.92% / 77.44%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service. An attacker can obtain a stable root shell through a specially constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.60% / 72.90%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Action-Not Available
Vendor-n/aGNUDebian GNU/Linux
Product-emacsdebian_linuxn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-29390
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-36.67% / 98.31%
||
7 Day CHG~0.00%
Published-30 Nov, 2020 | 17:24
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.

Action-Not Available
Vendor-zeroshelln/a
Product-zeroshelln/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48126
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48108
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.11% / 86.21%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /SetNetworkSettings/SubnetMask. This vulnerability allows attackers to escalate privileges to root via a crafted payload.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir_878dir_878_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-46598
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.29% / 81.12%
||
7 Day CHG~0.00%
Published-30 Dec, 2022 | 00:00
Updated-11 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function.

Action-Not Available
Vendor-n/aTRENDnet, Inc.
Product-tew-755ap_firmwaretew-755apn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-9455
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.3||CRITICAL
EPSS-1.91% / 77.29%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 11:45
Updated-26 May, 2026 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument FileName leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-A8000RU
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11138
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-91.93% / 99.81%
||
7 Day CHG~0.00%
Published-31 May, 2018 | 18:00
Updated-05 Nov, 2025 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-kace_system_management_appliancen/aKACE System Management Appliance
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-46476
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-41.05% / 98.49%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-859 A1 1.05 was discovered to contain a command injection vulnerability via the service= variable in the soapcgi_main function.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-859_a1dir-859_a1_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-46634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.05% / 78.91%
||
7 Day CHG~0.00%
Published-15 Dec, 2022 | 00:00
Updated-21 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-4643
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.73% / 74.89%
||
7 Day CHG~0.00%
Published-21 Dec, 2022 | 00:00
Updated-03 Aug, 2024 | 01:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
docconv pdf_ocr.go ConvertPDFImages os command injection

A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-searchn/a
Product-docconvdocconv
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-46631
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.05% / 78.91%
||
7 Day CHG~0.00%
Published-15 Dec, 2022 | 00:00
Updated-21 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 32
  • 33
  • Next
Details not found