Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-33792

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-03 May, 2024 | 00:00
Updated At-02 Aug, 2024 | 02:36
Rejected At-
Credits

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:03 May, 2024 | 00:00
Updated At:02 Aug, 2024 | 02:36
Rejected At:
▼CVE Numbering Authority (CNA)

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
N/A
Hyperlink: https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
Netis Systems Co., Ltd.netis-systems
Product
mex605
CPEs
  • cpe:2.3:o:netis-systems:mex605:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • -
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
x_transferred
Hyperlink: https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:03 May, 2024 | 17:15
Updated At:17 Jun, 2025 | 15:10

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Netis Systems Co., Ltd.
netis-systems
>>mex605_firmware>>2.00.06
cpe:2.3:o:netis-systems:mex605_firmware:2.00.06:*:*:*:*:*:*:*
Netis Systems Co., Ltd.
netis-systems
>>mex605>>-
cpe:2.3:h:netis-systems:mex605:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-20Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-20
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792cve@mitre.org
Exploit
Third Party Advisory
https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/ymkyu/CVE/tree/main/CVE-2024-33792
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1704Records found
CVE-2023-25534
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-5.7||MEDIUM
EPSS-0.22% / 44.52%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 00:55
Updated-24 Sep, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA DGX H100 BMC contains a vulnerability in IPMI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Action-Not Available
Vendor-NVIDIA Corporation
Product-dgx_h100_firmwaredgx_h100DGX H100 BMC
CWE ID-CWE-20
Improper Input Validation
CVE-2023-26134
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.70%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 05:00
Updated-27 Nov, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.

Action-Not Available
Vendor-git-commit-info_projectn/a
Product-git-commit-infogit-commit-info
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25699
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9||CRITICAL
EPSS-1.44% / 79.90%
||
7 Day CHG+0.38%
Published-03 Apr, 2024 | 12:22
Updated-15 Apr, 2025 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VideoWhisper Live Streaming Integration plugin <= 5.5.15 - Remote Code Execution (RCE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in VideoWhisper.Com VideoWhisper Live Streaming Integration allows OS Command Injection.This issue affects VideoWhisper Live Streaming Integration: from n/a through 5.5.15.

Action-Not Available
Vendor-videowhisperVideoWhisper.comvideowhisper
Product-videowhisper_live_streaming_integrationVideoWhisper Live Streaming Integrationlive_streaming_integration_plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25530
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-8||HIGH
EPSS-0.32% / 54.02%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 00:09
Updated-24 Sep, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA DGX H100 BMC contains a vulnerability in the KVM service, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, and information disclosure.

Action-Not Available
Vendor-NVIDIA Corporation
Product-dgx_h100_firmwaredgx_h100DGX H100 BMCdgx_h100_bmc
CWE ID-CWE-20
Improper Input Validation
CVE-2023-25395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.58% / 80.84%
||
7 Day CHG~0.00%
Published-08 Mar, 2023 | 00:00
Updated-02 Aug, 2024 | 11:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 router was discovered to contain a command injection vulnerability via the ou parameter at /setting/delStaticDhcpRules.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-33066
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.16% / 37.91%
||
7 Day CHG~0.00%
Published-07 Oct, 2024 | 12:58
Updated-16 Oct, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in WLAN Resource Manager

Memory corruption while redirecting log file to any file location with any file name.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-qcn5024_firmwareqcn9070ipq8173_firmwareqcf8001qcn5124qca4024_firmwareqcn9072qca8082qca8386immersive_home_318_platform_firmwareqxm8083ipq8078aipq5028_firmwareipq6000qcn5152_firmwareqcn9000_firmwareqcn9160ipq9554qcn6024_firmwareqca8386_firmwareipq8076aimmersive_home_316_platform_firmwareimmersive_home_316_platformimmersive_home_216_platformqca8084_firmwareipq8074aimmersive_home_318_platformqcn6412qcn5124_firmwareqca8082_firmwareqcn5164_firmwaresdx55_firmwareqcn5122_firmwareqcn6422_firmwareqcn6023_firmwareqca8081_firmwareipq5010snapdragon_x65_5g_modem-rf_system_firmwareqcn9274ipq8078a_firmwareipq8174ipq5028qcn5052qcf8001_firmwareipq6010qcn6112_firmwareqcn9074qca8085sdx65mqcn6132qcf8000qca8081qcn6023sdx65m_firmwareipq8071aipq5312ipq8071a_firmwareimmersive_home_3210_platformqcn6122qca9888_firmwareqca8085_firmwareipq5300ipq9008_firmwareqcn5154_firmwarecsr8811qcn9100_firmwareipq5010_firmwareipq8074a_firmwareqcn5022_firmwareimmersive_home_216_platform_firmwareqcn9000ipq8072aqcf8000_firmwareipq8076a_firmwareqca8084ipq8078ipq8173ipq9008qcn5164immersive_home_326_platform_firmwareqcn6122_firmwareqcn6402_firmwarecsr8811_firmwareqcn6422ipq9554_firmwareqcn5154qca8075_firmwareqcn5024qca9889qcn6132_firmwareqca9888qcn5052_firmwareqcn9274_firmwareipq8070a_firmwareipq8076_firmwareipq6018_firmwareqcn6112ipq8076qcn9160_firmwareqxm8083_firmwareqcn5152ipq6028qcn9024ipq9574_firmwareimmersive_home_3210_platform_firmwareipq5302qcn9100snapdragon_x65_5g_modem-rf_systemipq5300_firmwareipq8078_firmwareqcn9070_firmwareipq8072a_firmwareipq6028_firmwareqcn6432_firmwareipq5312_firmwareqca9889_firmwareqcn5122ipq9574qcn9024_firmwareipq8174_firmwareqcn6412_firmwareipq5332_firmwareipq5332ipq5302_firmwareimmersive_home_326_platformqcn5022ipq6018ipq6010_firmwareimmersive_home_214_platformimmersive_home_214_platform_firmwareqca4024sdx55qcn9022_firmwareqcn6402qca8075qcn9022qcn6024ipq8070aqcn9072_firmwareipq6000_firmwareqcn9074_firmwareqcn6432Snapdragonqcn5024_firmwareqcf8000_firmwareipq8076a_firmwareipq8173_firmwareimmersive_home_326_platform_firmwareqca4024_firmwareqcn6122_firmwareqcn6402_firmwareimmersive_home_318_platform_firmwarecsr8811_firmwareipq5028_firmwareipq9554_firmwareqca8075_firmwareqcn5152_firmwareqcn6132_firmwareqcn9000_firmwareqcn5052_firmwareqcn9274_firmwareipq8070a_firmwareqcn6024_firmwareipq6018_firmwareipq8076_firmwareimmersive_home_316_platform_firmwareqca8386_firmwareqca8084_firmwareqcn5124_firmwareqcn9160_firmwareqxm8083_firmwareqca8082_firmwareqcn5164_firmwareqcn5122_firmwaresdx55_firmwareqcn6422_firmwareipq9574_firmwareqca8081_firmwareqcn6023_firmwareimmersive_home_3210_platform_firmwaresnapdragon_x65_5g_modem-rf_system_firmwareipq8078a_firmwareipq5300_firmwareipq8078_firmwareqcn9070_firmwareqcf8001_firmwareipq6028_firmwareipq8072a_firmwareqcn6112_firmwareqcn6432_firmwareipq5312_firmwareqca9889_firmwareqcn9024_firmwareipq8174_firmwareqcn6412_firmwareipq5332_firmwareipq5302_firmwaresdx65m_firmwareipq8071a_firmwareqca8085_firmwareqca9888_firmwareipq6010_firmwareipq9008_firmwareqcn5154_firmwareimmersive_home_214_platform_firmwareqcn9022_firmwareqcn9100_firmwareipq5010_firmwareipq8074a_firmwareqcn9072_firmwareipq6000_firmwareqcn9074_firmwareqcn5022_firmwareimmersive_home_216_platform_firmware
CWE ID-CWE-20
Improper Input Validation
CVE-2022-22140
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.6||CRITICAL
EPSS-4.94% / 89.23%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 21:11
Updated-15 Apr, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

Action-Not Available
Vendor-TCL
Product-linkhub_mesh_wifi_ac1200LinkHub Mesh Wifi
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2009-4491
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.02% / 88.01%
||
7 Day CHG~0.00%
Published-13 Jan, 2010 | 00:00
Updated-07 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

thttpd 2.25b0 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Action-Not Available
Vendor-acmen/athttpd
Product-thttpdn/athttpd_http_server
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2023-24467
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-8.8||HIGH
EPSS-0.95% / 75.45%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:34
Updated-10 Apr, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible Command Injection in OpenText iManager

Possible Command Injection in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0000.

Action-Not Available
Vendor-Open Text CorporationMicro Focus International Limited
Product-imanageriManagerimanager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25279
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-72.10% / 98.69%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 00:00
Updated-03 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-820l_firmwaredir-820ln/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2009-4488
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.02% / 86.08%
||
7 Day CHG~0.00%
Published-13 Jan, 2010 | 20:00
Updated-21 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. NOTE: the vendor disputes the significance of this report, stating that "This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.

Action-Not Available
Vendor-varnish.projects.linpron/a
Product-varnishn/a
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CWE ID-CWE-20
Improper Input Validation
CVE-2020-19527
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.52%
||
7 Day CHG~0.00%
Published-10 Dec, 2020 | 21:06
Updated-04 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.

Action-Not Available
Vendor-idreamsoftn/a
Product-icmsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25280
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.59% / 99.83%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-21||The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir820la1dir820la1_firmwaren/adir820la1_firmwareDIR-820 Router
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-24762
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.70% / 81.55%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 00:00
Updated-03 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in D-Link DIR-867 DIR_867_FW1.30B07 allows attackers to execute arbitrary commands via a crafted LocalIPAddress parameter for the SetVirtualServerSettings to HNAP1.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-867_firmwaredir-867n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3739
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.12% / 77.36%
||
7 Day CHG~0.00%
Published-13 Apr, 2024 | 18:31
Updated-21 Aug, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
cym1102 nginxWebUI upload os command injection

A vulnerability classified as critical was found in cym1102 nginxWebUI up to 3.9.9. This vulnerability affects unknown code of the file /adminPage/main/upload. The manipulation of the argument file leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260578 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-nginxWebUI (cym1102)
Product-nginxwebuinginxWebUInginxwebui
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-2479
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-93.16% / 99.79%
||
7 Day CHG~0.00%
Published-02 May, 2023 | 00:00
Updated-30 Jan, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in appium/appium-desktop

OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.

Action-Not Available
Vendor-Appium (OpenJS Foundation)
Product-appium-desktopappium/appium-desktop
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25313
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.37% / 79.46%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-03 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature.

Action-Not Available
Vendor-wwbnn/a
Product-avideon/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-24033
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.27%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 00:00
Updated-03 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service.

Action-Not Available
Vendor-n/aSamsung
Product-exynos_modem_5123_firmwareexynos_modem_5123exynos_980_firmwareexynos_auto_t5123_firmwareexynos_modem_5300exynos_modem_5300_firmwareexynos_1080exynos_auto_t5123exynos_1080_firmwareexynos_980n/a
CWE ID-CWE-20
Improper Input Validation
CVE-2023-23560
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.89% / 74.59%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation.

Action-Not Available
Vendor-n/aLexmark International, Inc.
Product-xm7355_firmwarexc8163_firmwaremx321cx431_firmwaremx521_firmwarems823_firmwarecx923_firmwarecx860b2442_firmwaremx822mb2546ms826_firmwareb2442ms521_firmwarexm3142cs927xc6152_firmwaremx721ms826cx920mc2425m1242_firmwarec2326_firmwarexc4153_firmwarexc9335_firmwarems821ms822xc4342ms821_firmwaremx822_firmwarec2325xc4150_firmwarexm1246_firmwarecx923mx721_firmwarexm7355b2865cx622c4150_firmwarexc4240mc2640_firmwarecx820_firmwareb3340_firmwarecs439cx421_firmwaremx722xm1242_firmwaremx421mx722_firmwarecx924xc2235_firmwaremb2770xm3250_firmwarexc9445mx431xc9265_firmwaremx432_firmwarec2535_firmwaremx622c9235mc3326_firmwarexm7370cs331cx522_firmwaremc3224mx826cx860_firmwarexm7370_firmwarems622_firmwarecx725_firmwaremx421_firmwarecx825_firmwarexc8155c2326mc2535mc2325_firmwaremb2236xc2326cs827m1342mx321_firmwarecs421_firmwarexc8160cx924_firmwarecs921_firmwaremc3224_firmwarexc2235cs521mx522_firmwarexm1246mb2236_firmwarecx727ms321_firmwareb2236_firmwarems621xc4140c3326b2650xm3142_firmwarexc9455_firmwarecx727_firmwarecs820_firmwarexc4143ms825mb2650_firmwarecx944_firmwarexc9445_firmwarems825_firmwarexc9235_firmwarexc9255_firmwarexc8155_firmwareb3340mx931_firmwarems431xc9245_firmwarecx421b2236ms321cs725xc4352xc9255cs725_firmwarems331_firmwarems431_firmwarecx820cs728_firmwarexc9245xc8160_firmwarecx825xc6153_firmwarems823mc2535_firmwarecs923_firmwaremb3442cs622cx622_firmwarecx431b2650_firmwaremx826_firmwarecx921_firmwarec3326_firmwarexc4140_firmwaremc3426_firmwarecs727_firmwarems622xm3250cx922mx521cx725xc4153c6160_firmwaremb2442mx931xm1342_firmwarexc4352_firmwaremb2650c2240_firmwarecx522xc6152xc9335xc9465mb3442_firmwarexc4150b3442m5255_firmwarecs927_firmwarexm5365mx331xm1342b2865_firmwareb2338cx625_firmwarem5255mb2338_firmwarecs720cx921cs827_firmwarexc4240_firmwarecs521_firmwarec6160cs431_firmwarexc9455xm5365_firmwarec2425xc6153c3426cs923m3250_firmwaremx622_firmwarem3250cs431m1342_firmwarexc9465_firmwarec2425_firmwarem5270_firmwarecs439_firmwarems822_firmwarecx944ms725xc8163mc2325b2546ms331m1246_firmwarecx922_firmwaremx331_firmwarexc9235xm1242mb2442_firmwarecs820ms621_firmwarecs728cs421cs622_firmwarec9235_firmwaremb2546_firmwaremc2640cx331xc9225c3224_firmwarem5270mx432b3442_firmwaremx522cs331_firmwarecx331_firmwaremc2425_firmwarecx625c2240cx920_firmwaremc3326mx431_firmwarems421xc9265cs921c3224cs727ms725_firmwarems421_firmwaremb2770_firmwaremc3426m1246xc4143_firmwarec2535b2338_firmwaremb2338xc2326_firmwarexc9225_firmwarec2325_firmwarexc4342_firmwarem1242cs720_firmwareb2546_firmwarec4150ms521c3426_firmwaren/a
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-36491
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 71.29%
||
7 Day CHG+0.09%
Published-17 Jul, 2024 | 08:50
Updated-08 Apr, 2025 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow an administrative user to execute an arbitrary OS command, obtain and/or alter sensitive information, and cause a denial-of-service (DoS) condition.

Action-Not Available
Vendor-centurysysCentury Systems Co., Ltd.centurysys
Product-futurenet_nxr-g110_firmwarefuturenet_nxr-120\/c_firmwarefuturenet_nxr-1200futurenet_nxr-1200_firmwarefuturenet_nxr-g060_firmwarefuturenet_nxr-530futurenet_nxr-350\/c_firmwarefuturenet_nxr-230\/cfuturenet_nxr-610x_firmwarefuturenet_nxr-160\/lw_firmwarefuturenet_nxr-230\/c_firmwarefuturenet_nxr-350\/cfuturenet_nxr-125\/cx_firmwarefuturenet_nxr-650_firmwarefuturenet_nxr-155\/c_firmwarefuturenet_vxr-x86futurenet_nxr-160\/lwfuturenet_nxr-g180\/l-ca_firmwarefuturenet_nxr-g180\/l-cafuturenet_nxr-g100_firmwarefuturenet_nxr-g120_firmwarefuturenet_nxr-530_firmwarefuturenet_nxr-1300_firmwarefuturenet_nxr-120\/cfuturenet_wxr-250_firmwarefuturenet_nxr-g050_firmwarefuturenet_nxr-130\/c_firmwarefuturenet_wxr-250futurenet_nxr-g200_firmwarefuturenet_vxr-x64futurenet_nxr-130\/cFutureNet NXR-610X seriesFutureNet NXR-G180/L-CAFutureNet NXR-G120 seriesFutureNet NXR-230/CFutureNet NXR-1200FutureNet VXR/x64FutureNet WXR-250FutureNet NXR-120/CFutureNet NXR-1300 seriesFutureNet VXR/x86FutureNet NXR-125/CXFutureNet NXR-130/CFutureNet NXR-G100 seriesFutureNet NXR-160/LWFutureNet NXR-G050 seriesFutureNet NXR-650FutureNet NXR-G110 seriesFutureNet NXR-350/CFutureNet NXR-G200 seriesFutureNet NXR-G060 seriesFutureNet NXR-155/C seriesFutureNet NXR-530futurenet_nxr-125\/cx_firmwarefuturenet_nxr-1200_firmwarefuturenet_nxr-g120_firmwarefuturenet_nxr-610x_firmwarefuturenet_nxr-130\/c_firmwarefuturenet_nxr-g110_firmwarefuturenet_nxr-1300_firmwarefuturenet_nxr-155\/c_firmwarefuturenet_nxr-650_firmwarefuturenet_wxr-250_firmwarefuturenet_nxr-g060_firmwarefuturenet_nxr-120\/c_firmwarefuturenet_nxr-g180\/l-ca_firmwarefuturenet_nxr-g050_firmwarefuturenet_nxr-160\/lw_firmwarefuturenet_nxr-230\/c_firmwarefuturenet_nxr-g100_firmwarefuturenet_nxr-g200_firmwarefuturenet_vxr\/x64_firmwarefuturenet_nxr-350\/c_firmwarefuturenet_vxr\/x86_firmwarefuturenet_nxr-530_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23397
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.58% / 99.83%
||
7 Day CHG-0.09%
Published-14 Mar, 2023 | 16:55
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-04-04||Apply updates per vendor instructions.
Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft Outlook Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-office_long_term_servicing_channel365_appsoutlookofficeMicrosoft Office 2019Microsoft Office LTSC 2021Microsoft Outlook 2013 Service Pack 1Microsoft 365 Apps for EnterpriseMicrosoft Outlook 2016Office
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2023-23076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-60.54% / 98.22%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_supportcenter_plusn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-1946
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-2.01% / 82.95%
||
7 Day CHG~0.00%
Published-25 Mar, 2021 | 09:20
Updated-13 Feb, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache SpamAssassin has an OS Command Injection vulnerability

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Action-Not Available
Vendor-Debian GNU/LinuxFedora ProjectThe Apache Software Foundation
Product-debian_linuxspamassassinfedoraApache SpamAssassin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2013-2060
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-22.01% / 95.56%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 15:57
Updated-06 Aug, 2024 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshiftOpenShift Origin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-21935
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.34% / 86.78%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 13:24
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in HNAP1/GetNetworkTomographySettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary code.

Action-Not Available
Vendor-n/aMotorola Mobility LLC. (Lenovo Group Limited)
Product-cx2_firmwarecx2n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23368
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.56% / 87.25%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 16:34
Updated-27 Feb, 2025 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTS heroQuTScloudQTS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23325
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 73.13%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 00:00
Updated-26 Nov, 2024 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.

Action-Not Available
Vendor-zumtobeln/a
Product-netlink_ccdnetlink_ccd_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-21937
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.07% / 91.78%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 13:24
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An command injection vulnerability in HNAP1/SetWLanApcliSettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary system commands.

Action-Not Available
Vendor-n/aMotorola Mobility LLC. (Lenovo Group Limited)
Product-cx2_firmwarecx2n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-36061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.77% / 72.52%
||
7 Day CHG+0.07%
Published-11 Nov, 2024 | 00:00
Updated-12 Nov, 2024 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EnGenius EWS356-FIT devices through 1.1.30 allow blind OS command injection. This allows an attacker to execute arbitrary OS commands via shell metacharacters to the Ping and Speed Test utilities.

Action-Not Available
Vendor-n/aengenius
Product-n/aews356_fit
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-22515
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-9.8||CRITICAL
EPSS-94.36% / 99.96%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 14:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-10-13||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Check all affected Confluence instances for evidence of compromise per vendor instructions and report any positive findings to CISA.

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Action-Not Available
Vendor-Atlassian
Product-confluence_serverconfluence_data_centerConfluence Data CenterConfluence Serverconfluence_serverconfluence_data_centerConfluence Data Center and Server
CWE ID-CWE-20
Improper Input Validation
CVE-2023-22581
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
ShareView Details
Matching Score-4
Assigner-Dutch Institute for Vulnerability Disclosure (DIVD)
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 28.01%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 08:14
Updated-11 Mar, 2025 | 13:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
White Rabbit Switch - Unauthenticated remote code execution

White Rabbit Switch contains a vulnerability which makes it possible for an attacker to perform system commands under the context of the web application (the default installation makes the webserver run as the root user).

Action-Not Available
Vendor-home.cernCERN
Product-white_rabbit_switchwhite_rabbit_switch_firmwareWhite Rabbit Switch
CWE ID-CWE-20
Improper Input Validation
CVE-2024-7207
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.04% / 12.00%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 22:17
Updated-30 Sep, 2024 | 19:03
Rejected-30 Sep, 2024 | 19:03
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Duplicate of CVE-2024-45806.

Action-Not Available
Vendor-envoyproxyRed Hat, Inc.
Product-envoyopenshift_service_mesh
CWE ID-CWE-20
Improper Input Validation
CVE-2024-36394
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-9.1||CRITICAL
EPSS-0.21% / 43.25%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 08:20
Updated-02 Aug, 2024 | 03:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Action-Not Available
Vendor-SysAid Technologies Ltd.
Product-sysaidSysAidsysaid
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-22279
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.79% / 72.95%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-04 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command.

Action-Not Available
Vendor-ate-mahorobaMahoroba Kobo, Inc.
Product-maho-pbx_netdevancer_mobilegate_firmwaremaho-pbx_netdevancer_mobilegatemaho-pbx_netdevancer_firmwaremaho-pbx_netdevancermaho-pbx_netdevancer_vsg_firmwaremaho-pbx_netdevancer_vsgMAHO-PBX NetDevancer series
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-54135
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.06% / 18.11%
||
7 Day CHG+0.01%
Published-05 Aug, 2025 | 00:11
Updated-25 Aug, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cursor Agent is vulnerable to prompt injection via MCP Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.

Action-Not Available
Vendor-anyspherecursor
Product-cursorcursor
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2023-21631
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-7.5||HIGH
EPSS-0.07% / 22.94%
||
7 Day CHG~0.00%
Published-04 Jul, 2023 | 04:46
Updated-11 Aug, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in Modem

Weak Configuration due to improper input validation in Modem while processing LTE security mode command message received from network.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-snapdragon_wear_3100_firmwaresw5100papq8017sd865_5gwcd9335snapdragon_8\+_gen_1wcd9370qca8081_firmwaresnapdragon_429_firmwareqca4004qca6696wcd9340_firmwaresnapdragon_430_firmwarewcd9341_firmwareqcn6024qca6426sc8180x-absnapdragon_auto_4gwcn6740_firmwarefastconnect_6700wcn3610snapdragon_208_firmwaresnapdragon_695_5gsnapdragon_888_5gwsa8832_firmwareqca8337qca6426_firmwaresnapdragon_4_gen_2_firmwareqca6574au_firmwarewcd9341snapdragon_wear_1300qca6574auwsa8810_firmwaresnapdragon_429csra6640sc8180x-af_firmwaremsm8209_firmwaresnapdragon_690_5gsnapdragon_778g\+_5g_firmwaresnapdragon_865\+_5gsnapdragon_765_5gwcn3660b_firmwarefastconnect_6800_firmwaresnapdragon_x24_firmwaresnapdragon_865\+_5g_firmwaresnapdragon_855\+\/860qcn6024_firmwaresnapdragon_x65_5gsnapdragon_636_firmwaresnapdragon_888\+_5g_firmwarec-v2x_9150snapdragon_x50_5gsnapdragon_xr2_5g_firmwaremsm81089205sc8180xp-acsnapdragon_765g_5g_firmwaresnapdragon_660_firmwaresnapdragon_4_gen_2fastconnect_6900wcd9385_firmwareqca6421snapdragon_778g_5gwcd9360snapdragon_x70_firmwareqcs4490snapdragon_662_firmwaresc8180xp-afsnapdragon_x50_5g_firmwaresnapdragon_x24snapdragon_wear_3100qca6421_firmwaresc8180x-adqca6564au_firmwarewsa8810205snapdragon_855_firmware315_5g_firmwareqca6595ausm7315_firmwaresnapdragon_865_5g_firmwaresnapdragon_wear_2500wcd9326_firmwareqcs8550_firmwareqca6436_firmwaresc8180x-afqcs4490_firmwarewcn3910_firmwareqts110snapdragon_680_4gqca6420wcn3910snapdragon_212_firmwarewcd9370_firmwarecsrb31024snapdragon_480\+_5g_firmwaresnapdragon_765_5g_firmwarewcn3660bqca6574awcn3620_firmwareqca6174asnapdragon_695_5g_firmwaresnapdragon_750g_5g_firmwarewcd9340qcm2290sc8180xp-aa_firmwareqcm6490215snapdragon_x55_5g_firmwarewcn3988qcn9024qca6430_firmwaresc8180x-aasnapdragon_439_firmwaresdx57msmart_audio_400qcn9024_firmwaresc8180xp-ac_firmwarewcd9326qcm2290_firmwareqca6564asnapdragon_wear_2100_firmwarewsa8830snapdragon_870_5g_firmwaresnapdragon_x65_5g_firmwaresnapdragon_wear_2100sc8180x\+sdx55_firmwaresnapdragon_888\+_5gar8035snapdragon_208wcn3620qcm4325snapdragon_782gsc8180x\+sdx55wcn3950_firmwareqca6698aqfastconnect_6200sc8180x-aa_firmwarewcn3680bsm7325p_firmwarewcd9360_firmwaresnapdragon_210_firmwaresnapdragon_630snapdragon_430fastconnect_6700_firmwaresnapdragon_768g_5gvideo_collaboration_vc3_platform_firmwarewcn3990snapdragon_778g_5g_firmwaresnapdragon_780g_5gqcs6490snapdragon_210snapdragon_778g\+_5gfastconnect_6200_firmwarewsa8830_firmwareqca6431sd660_firmwaresnapdragon_7c\+_gen_3wsa8832sdx57m_firmwaresxr2130_firmwarear8035_firmwaresnapdragon_680_4g_firmwaremsm8608_firmwaresd888_firmwaresnapdragon_630_firmwaremsm8209snapdragon_439wcd9306qca6564ausnapdragon_460snapdragon_636snapdragon_wear_1300_firmwaresc8180xp-adwsa8815_firmwaresnapdragon_865_5gqca8337_firmwaresnapdragon_665_firmwaresnapdragon_auto_4g_firmwareqcm4290snapdragon_480_5g_firmwaresnapdragon_4_gen_1_firmwaresd_455_firmwaremsm8608snapdragon_685_4gqca9377_firmwareqcm6490_firmwaresnapdragon_w5\+_gen_1snapdragon_665sm7250p_firmware205_firmwareqcm4490_firmwarewcn3950snapdragon_690_5g_firmwareqca4004_firmwareapq8037smart_audio_400_firmwaresnapdragon_460_firmwaresmart_audio_200_firmwaresd_455snapdragon_auto_5g_firmwaresm7250pcsrb31024_firmwaresnapdragon_768g_5g_firmwaresc8180x-ad_firmwaresd888snapdragon_wear_2500_firmwaresw5100_firmwarewcn6740fastconnect_6800snapdragon_662fastconnect_7800_firmwaresnapdragon_855\+\/860_firmwarefastconnect_6900_firmwaresc8180xp-aaapq8017_firmwarewcd93809205_firmwaresmart_audio_200snapdragon_xr2_5g215_firmwaresnapdragon_888_5g_firmwaresnapdragon_765g_5gsw5100video_collaboration_vc3_platformaqt1000wcd9306_firmwarec-v2x_9150_firmwaresnapdragon_x70sd855qca6431_firmwaresnapdragon_8_gen_1_firmwaresc8180x-ab_firmwarewcn3990_firmwaresm7315snapdragon_750g_5gqca6698aq_firmwareqcs2290qca6564a_firmwarewcd9385msm8909w_firmwareqcs2290_firmwaresc8180xp-ab_firmwarewcn3615wcn3610_firmwaresnapdragon_8_gen_1qcs4290sc8180xp-abqca6430snapdragon_782g_firmwaresnapdragon_855sdx55_firmwaresnapdragon_x55_5gsc8180xp-ad_firmwarewcn3615_firmwaresxr2130msm8108_firmwareqcm4490snapdragon_4_gen_1snapdragon_870_5gcsra6640_firmwaresnapdragon_480\+_5gqca6174a_firmwaresnapdragon_685_4g_firmwaresm7325papq8037_firmwareqca6420_firmwareaqt1000_firmwareqcs6490_firmwaresnapdragon_480_5gsd855_firmwarewcd9335_firmwarewcn3980_firmwareqca6436sc8180x-acwsa8835qca6595au_firmwareqca6391_firmwaresc8180x-ac_firmwaresw5100p_firmwareqca6696_firmwareqcs4290_firmwarewcd9380_firmwarecsra6620qca8081sd660mdm9628wsa8815sg4150pqca9377snapdragon_auto_5gmdm9628_firmwareqcm4325_firmwaresnapdragon_660qca6574a_firmwaresdx55qcm4290_firmwaresnapdragon_8\+_gen_1_firmwarewcd9375_firmwaresnapdragon_7c\+_gen_3_firmware315_5gqca6391snapdragon_w5\+_gen_1_firmwareqts110_firmwaresg4150p_firmwaresnapdragon_780g_5g_firmwaresc8180xp-af_firmwarecsra6620_firmwareqcs8550fastconnect_7800sd865_5g_firmwaresnapdragon_425_firmwarewcd9375wcn3988_firmwaresnapdragon_212wsa8835_firmwarewcn3980msm8909wsnapdragon_425wcn3680b_firmwareSnapdragon
CWE ID-CWE-20
Improper Input Validation
CVE-2023-21504
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.6||MEDIUM
EPSS-0.57% / 67.65%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-12 Feb, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Potential buffer overflow vulnerability in mm_Plmncoordination.c in Shannon baseband prior to SMR May-2023 Release 1 allows remote attackers to cause invalid memory access.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-androidSamsung Mobile Devices
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2023-21554
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.16% / 99.70%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 19:13
Updated-23 Jan, 2025 | 01:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_21h2windows_10_1809windows_server_2016windows_server_2012windows_server_2008windows_11_21h2windows_10_22h2windows_server_2022windows_10_20h2windows_11_22h2windows_server_2019windows_10_1607Windows Server 2012 R2 (Server Core installation)Windows 10 Version 22H2Windows Server 2016Windows 10 Version 20H2Windows Server 2012 (Server Core installation)Windows 10 Version 21H2Windows Server 2012 R2Windows Server 2008 Service Pack 2Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2008 Service Pack 2 (Server Core installation)Windows 10 Version 1607Windows 11 version 22H2Windows Server 2022Windows 11 version 21H2Windows 10 Version 1507Windows Server 2012Windows Server 2016 (Server Core installation)Windows 10 Version 1809Windows Server 2019Windows Server 2008 Service Pack 2Windows Server 2008 R2 Service Pack 1Windows Server 2019 (Server Core installation)
CWE ID-CWE-20
Improper Input Validation
CVE-2024-33434
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.21% / 88.30%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 00:00
Updated-02 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.

Action-Not Available
Vendor-n/atiagorlampert
Product-n/achaos
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-16846
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.39% / 99.97%
||
7 Day CHG~0.00%
Published-06 Nov, 2020 | 07:27
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Action-Not Available
Vendor-saltstackn/aSaltStackopenSUSEFedora ProjectDebian GNU/Linux
Product-debian_linuxleapsaltfedoran/aSalt
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-2131
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.79% / 72.93%
||
7 Day CHG~0.00%
Published-20 Apr, 2023 | 20:40
Updated-16 Jan, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-2131

Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code.

Action-Not Available
Vendor-ineaINEA
Product-me_rtume_rtu_firmwareME RTU
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-18685
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.94%
||
7 Day CHG~0.00%
Published-30 Sep, 2021 | 01:18
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs.

Action-Not Available
Vendor-n/aAtlassian
Product-floodlightn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2023-21503
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.6||MEDIUM
EPSS-0.57% / 67.65%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-12 Feb, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Potential buffer overflow vulnerability in mm_LteInterRatManagement.c in Shannon baseband prior to SMR May-2023 Release 1 allows remote attackers to cause invalid memory access.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-androidexynosSamsung Mobile Devices
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2020-18683
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.94%
||
7 Day CHG~0.00%
Published-30 Sep, 2021 | 01:20
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling.

Action-Not Available
Vendor-n/aAtlassian
Product-floodlightn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2020-17368
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.49% / 88.68%
||
7 Day CHG~0.00%
Published-11 Aug, 2020 | 15:59
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.

Action-Not Available
Vendor-firejail_projectn/aDebian GNU/LinuxopenSUSEFedora Project
Product-firejaildebian_linuxfedoraleapn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-21494
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.6||MEDIUM
EPSS-0.78% / 72.81%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-12 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Potential buffer overflow vulnerability in auth api in mm_Authentication.c in Shannon baseband prior to SMR May-2023 Release 1 allows remote attackers to cause invalid memory access.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-androidexynosSamsung Mobile Devices
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2020-15920
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.93% / 99.87%
||
7 Day CHG~0.00%
Published-24 Jul, 2020 | 00:58
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.

Action-Not Available
Vendor-midasolutionsn/a
Product-eframeworkn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-32850
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.67% / 81.38%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 01:33
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in a command ('Command Injection') exists in SkyBridge MB-A100/MB-A110 firmware Ver. 4.2.2 and earlier and SkyBridge BASIC MB-A130 firmware Ver. 1.5.5 and earlier. If the remote monitoring and control function is enabled on the product, an attacker with access to the product may execute an arbitrary command or login to the product with the administrator privilege.

Action-Not Available
Vendor-Seiko Solutions Inc.seiko-sol
Product-SkyBridge BASIC MB-A130SkyBridge MB-A100/MB-A110skybridge_mb-a110_firmwareskybridge_basic_mb-a130_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-17479
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.63% / 69.44%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 19:20
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.

Action-Not Available
Vendor-json_pattern_validator_projectn/a
Product-json_pattern_validatorn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2024-3191
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.8||CRITICAL
EPSS-2.45% / 84.58%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 06:21
Updated-11 Apr, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MailCleaner Email os command injection

A vulnerability, which was classified as critical, has been found in MailCleaner up to 2023.03.14. This issue affects some unknown processing of the component Email Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-262307.

Action-Not Available
Vendor-mailcleanern/amailcleaner
Product-mailcleanerMailCleanermailcleaner
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 34
  • 35
  • Next
Details not found