Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14107

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-05 Dec, 2025 | 21:32
Updated At-16 Dec, 2025 | 07:53
Rejected At-
Credits

ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:05 Dec, 2025 | 21:32
Updated At:16 Dec, 2025 | 07:53
Rejected At:
â–¼CVE Numbering Authority (CNA)
ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Affected Products
Vendor
ZSPACE
Product
Q2C NAS
Modules
  • HTTP POST Request Handler
Versions
Affected
  • 1.1.0210050
Problem Types
TypeCWE IDDescription
CWECWE-77Command Injection
CWECWE-74Injection
Type: CWE
CWE ID: CWE-77
Description: Command Injection
Type: CWE
CWE ID: CWE-74
Description: Injection
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
3.08.8HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
2.09.0N/A
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
Version: 3.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
Version: 2.0
Base score: 9.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
renguangyue (VulDB User)
Timeline
EventDate
Advisory disclosed2025-12-05 00:00:00
VulDB entry created2025-12-05 01:00:00
VulDB entry last update2025-12-16 08:57:46
Event: Advisory disclosed
Date: 2025-12-05 00:00:00
Event: VulDB entry created
Date: 2025-12-05 01:00:00
Event: VulDB entry last update
Date: 2025-12-16 08:57:46
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/?id.334489
vdb-entry
technical-description
https://vuldb.com/?ctiid.334489
signature
permissions-required
https://vuldb.com/?submit.697143
third-party-advisory
https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc
exploit
Hyperlink: https://vuldb.com/?id.334489
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.334489
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.697143
Resource:
third-party-advisory
Hyperlink: https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc
Resource:
exploit
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:05 Dec, 2025 | 22:15
Updated At:16 Dec, 2025 | 08:15

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.4HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary2.09.0HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
Type: Secondary
Version: 4.0
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 2.0
Base score: 9.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C
CPE Matches

zspace
zspace
>>q2c_nas_firmware>>Versions up to 1.1.0210050(inclusive)
cpe:2.3:o:zspace:q2c_nas_firmware:*:*:*:*:*:*:*:*
zspace
zspace
>>q2c_nas>>-
cpe:2.3:h:zspace:q2c_nas:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Secondarycna@vuldb.com
CWE-77Secondarycna@vuldb.com
CWE-77Primarynvd@nist.gov
CWE ID: CWE-74
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-77
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-77
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://vuldb.com/?ctiid.334489cna@vuldb.com
Permissions Required
VDB Entry
https://vuldb.com/?id.334489cna@vuldb.com
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.697143cna@vuldb.com
Third Party Advisory
VDB Entry
https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebccna@vuldb.com
Exploit
Third Party Advisory
Hyperlink: https://vuldb.com/?ctiid.334489
Source: cna@vuldb.com
Resource:
Permissions Required
VDB Entry
Hyperlink: https://vuldb.com/?id.334489
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?submit.697143
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc
Source: cna@vuldb.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1292Records found

CVE-2025-5670
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.98%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 17:00
Updated-06 Jun, 2025 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Medical Card Generation System manage-card.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul Medical Card Generation System 1.0. This issue affects some unknown processing of the file /admin/manage-card.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-medical_card_generation_systemMedical Card Generation System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5669
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.98%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 16:31
Updated-06 Jun, 2025 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Medical Card Generation System unreadenq.php sql injection

A vulnerability classified as critical was found in PHPGurukul Medical Card Generation System 1.0. This vulnerability affects unknown code of the file /admin/unreadenq.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-medical_card_generation_systemMedical Card Generation System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-38556
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-13.04% / 95.87%
||
7 Day CHG~0.00%
Published-24 Aug, 2021 | 12:33
Updated-04 Aug, 2024 | 01:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.

Action-Not Available
Vendor-raspapn/a
Product-raspapn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-1059
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.76% / 50.74%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 11:08
Updated-27 Sep, 2025 | 00:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Doctors Appointment System Parameter doctors.php sql injection

A vulnerability classified as critical was found in SourceCodester Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/doctors.php of the component Parameter Handler. The manipulation of the argument search/id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-doctors_appointment_systemDoctors Appointment Systemdoctors_appointment_system
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-57201
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.26% / 93.59%
||
7 Day CHG+0.12%
Published-03 Dec, 2025 | 00:00
Updated-01 Jun, 2026 | 12:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Action-Not Available
Vendor-n/aAvtec (Motorola Solutions)
Product-dgm1104_firmwaredgm1104n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5693
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.42%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 20:00
Updated-10 Jun, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Human Metapneumovirus Testing Management System bwdates-report-result.php sql injection

A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-result.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anujk305PHPGurukul LLP
Product-human_metapneumovirus_\(hmpv\)_-_testing_management_systemHuman Metapneumovirus Testing Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-53945
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-19.05% / 96.97%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 00:00
Updated-15 Aug, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet).

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-0861
Matching Score-4
Assigner-ONEKEY GmbH
ShareView Details
Matching Score-4
Assigner-ONEKEY GmbH
CVSS Score-7.2||HIGH
EPSS-28.66% / 97.90%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 08:58
Updated-18 Mar, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Command Injection in NetModule NSRW

NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.

Action-Not Available
Vendor-netmoduleNetModule
Product-nb1810nb2800nb3800nb1601ng800nb800nb1800netmodule_router_softwarenb3701nb2810NSRW
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5652
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.98%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 10:00
Updated-06 Jun, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Complaint Management System between-date-complaintreport.php sql injection

A vulnerability, which was classified as critical, was found in PHPGurukul Complaint Management System 2.0. Affected is an unknown function of the file /admin/between-date-complaintreport.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-complaint_management_systemComplaint Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5837
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.41%
||
7 Day CHG~0.00%
Published-07 Jun, 2025 | 14:00
Updated-09 Jun, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Employee Record Management System allemployees.php sql injection

A vulnerability classified as critical has been found in PHPGurukul Employee Record Management System 1.3. Affected is an unknown function of the file /admin/allemployees.php. The manipulation of the argument delid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-employee_record_management_systemEmployee Record Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5694
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.41%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 20:31
Updated-10 Jun, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Human Metapneumovirus Testing Management System search-report-result.php sql injection

A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anujk305PHPGurukul LLP
Product-human_metapneumovirus_\(hmpv\)_-_testing_management_systemHuman Metapneumovirus Testing Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5784
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.38%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 16:00
Updated-10 Jun, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Employee Record Management System myexp.php sql injection

A vulnerability has been found in PHPGurukul Employee Record Management System 1.3 and classified as critical. This vulnerability affects unknown code of the file /myexp.php. The manipulation of the argument emp3ctc leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-employee_record_management_systemEmployee Record Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-37720
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-3.06% / 85.98%
||
7 Day CHG+0.10%
Published-07 Sep, 2021 | 12:08
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote arbitrary command execution vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.

Action-Not Available
Vendor-n/aSiemens AGAruba Networks
Product-arubaossd-wanscalance_w1750d_firmwarescalance_w1750dAruba SD-WAN Software and Gateways; Aruba Operating System Software
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-37724
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-3.06% / 85.98%
||
7 Day CHG+0.10%
Published-07 Sep, 2021 | 12:34
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability.

Action-Not Available
Vendor-n/aSiemens AGAruba Networks
Product-arubaosscalance_w1750d_firmwarescalance_w1750dAruba Operating System Software
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-1061
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.76% / 50.74%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 11:08
Updated-27 Sep, 2025 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Doctors Appointment System edit-doc.php sql injection

A vulnerability, which was classified as critical, has been found in SourceCodester Doctors Appointment System 1.0. This issue affects some unknown processing of the file /admin/edit-doc.php. The manipulation of the argument email/oldmail leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-doctors_appointment_systemDoctors Appointment System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5674
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 18:00
Updated-10 Jun, 2025 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Patient Record Management System urinalysis_form.php sql injection

A vulnerability was found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file urinalysis_form.php. The manipulation of the argument urinalysis_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & ProjectsFabian Ros
Product-patient_record_management_systemPatient Record Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-0611
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-8.8||HIGH
EPSS-3.85% / 88.88%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 13:24
Updated-25 Nov, 2024 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TRENDnet TEW-652BRP Web Management Interface get_set.ccp command injection

A vulnerability, which was classified as critical, has been found in TRENDnet TEW-652BRP 3.04B01. This issue affects some unknown processing of the file get_set.ccp of the component Web Management Interface. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-219935.

Action-Not Available
Vendor-TRENDnet, Inc.
Product-tew-652brp_firmwaretew-652brpTEW-652BRP
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-21785
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.73% / 84.27%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 15:24
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In IBOS 4.5.4 Open, the database backup has Command Injection Vulnerability.

Action-Not Available
Vendor-ibosn/a
Product-ibosn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-0351
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-1.39% / 68.91%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 20:22
Updated-16 Jan, 2025 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-0351

The Akuvox E11 web server backend library allows command injection in the device phone-book contacts functionality. This could allow an attacker to upload files with executable command instructions.

Action-Not Available
Vendor-Akuvox (SMART-PLUS PTE. LTD.)
Product-e11e11_firmwareE11
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5763
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-4.92% / 91.06%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:00
Updated-10 Jun, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda CP3 apollo sub_F3C8C command injection

A vulnerability has been found in Tenda CP3 11.10.00.2311090948 and classified as critical. Affected by this vulnerability is the function sub_F3C8C of the file apollo. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-cp3cp3_firmwareCP3
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-57199
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.01% / 85.79%
||
7 Day CHG+0.05%
Published-03 Dec, 2025 | 00:00
Updated-23 Dec, 2025 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Action-Not Available
Vendor-n/aAvtec (Motorola Solutions)
Product-dgm1104dgm1104_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5838
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.42%
||
7 Day CHG~0.00%
Published-07 Jun, 2025 | 16:00
Updated-10 Jun, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Employee Record Management System adminprofile.php sql injection

A vulnerability classified as critical was found in PHPGurukul Employee Record Management System 1.3. Affected by this vulnerability is an unknown functionality of the file /admin/adminprofile.php. The manipulation of the argument AdminName leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-employee_record_management_systemEmployee Record Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5558
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.38%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 04:00
Updated-10 Jun, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Teacher Subject Allocation Management System changeimage.php sql injection

A vulnerability was found in PHPGurukul Teacher Subject Allocation Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-teacher_subject_allocation_management_systemTeacher Subject Allocation Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-0493
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-7.90% / 94.01%
||
7 Day CHG~0.00%
Published-26 Jan, 2023 | 00:00
Updated-31 Mar, 2025 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.

Action-Not Available
Vendor-btcpayserverbtcpayserver
Product-btcpay_serverbtcpayserver/btcpayserver
CWE ID-CWE-76
Improper Neutralization of Equivalent Special Elements
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-5566
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.37%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 05:00
Updated-10 Jun, 2025 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Notice Board System search-notice.php sql injection

A vulnerability classified as critical has been found in PHPGurukul Notice Board System 1.0. This affects an unknown part of the file /search-notice.php. The manipulation of the argument searchdata leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-notice_board_systemNotice Board System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-0830
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-20.86% / 97.25%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 16:13
Updated-01 May, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EasyNAS backup.pl system os command injection

A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-easynasn/a
Product-easynasEasyNAS
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5611
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 20:31
Updated-10 Jun, 2025 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Real Estate Management System submitpropertyupdate.php sql injection

A vulnerability, which was classified as critical, was found in CodeAstro Real Estate Management System 1.0. This affects an unknown part of the file /submitpropertyupdate.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-CodeAstro
Product-real_estate_management_systemReal Estate Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-16875
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.4||HIGH
EPSS-47.14% / 98.69%
||
7 Day CHG~0.00%
Published-11 Sep, 2020 | 17:08
Updated-23 Feb, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Exchange Server Remote Code Execution Vulnerability

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.</p> <p>An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.</p>

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 5Microsoft Exchange Server 2019 Cumulative Update 6Microsoft Exchange Server 2016 Cumulative Update 16Microsoft Exchange Server 2016 Cumulative Update 17
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-5492
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.89% / 85.18%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 10:31
Updated-15 Jul, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-500WF-WT /usr/sbin/jhttpd msp_info.htm sub_456DE8 command injection

A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the component /usr/sbin/jhttpd. The manipulation of the argument cmd leads to command injection. The attack can be launched remotely.

Action-Not Available
Vendor-D-Link Corporation
Product-di-500wf-wt_firmwaredi-500wf-wtDI-500WF-WT
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5554
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.38%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 02:31
Updated-10 Jun, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Rail Pass Management System pass-bwdates-reports-details.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul Rail Pass Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/pass-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-rail_pass_management_systemRail Pass Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-22899
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-22.34% / 97.40%
||
7 Day CHG~0.00%
Published-27 May, 2021 | 11:15
Updated-03 Nov, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

Action-Not Available
Vendor-n/aIvanti Software
Product-connect_securePulse Connect SecurePulse Connect Secure
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5633
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.93%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 03:31
Updated-10 Jun, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects/anirbandutta9 Content Management System/News-Buzz users.php sql injection

A vulnerability was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/users.php. The manipulation of the argument delete leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anirbandutta9anirbandutta9Source Code & Projects
Product-news-buzzcontent_management_systemContent Management SystemNews-Buzz
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5557
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.37%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 03:31
Updated-10 Jun, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Teacher Subject Allocation Management System edit-course.php sql injection

A vulnerability has been found in PHPGurukul Teacher Subject Allocation Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/edit-course.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-teacher_subject_allocation_management_systemTeacher Subject Allocation Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5616
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 22:31
Updated-06 Jun, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Fire Reporting System profile.php sql injection

A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_fire_reporting_systemOnline Fire Reporting System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5571
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.17% / 94.17%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 05:31
Updated-15 Jul, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DCS-932L setSystemAdmin os command injection

A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-D-Link Corporation
Product-dcs-932ldcs-932l_firmwareDCS-932L
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51300
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.27%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 00:00
Updated-10 Apr, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-51301
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.27%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 00:00
Updated-10 Apr, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-51258
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.54% / 41.44%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 00:00
Updated-10 Apr, 2025 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5614
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 22:00
Updated-10 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Fire Reporting System search-report-result.php sql injection

A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been classified as critical. Affected is an unknown function of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_fire_reporting_systemOnline Fire Reporting System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5632
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.93%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 03:00
Updated-10 Jun, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects/anirbandutta9 Content Management System/News-Buzz users.php sql injection

A vulnerability was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/users.php. The manipulation of the argument change_to_admin leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anirbandutta9anirbandutta9Source Code & Projects
Product-news-buzzcontent_management_systemContent Management SystemNews-Buzz
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5638
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 05:00
Updated-06 Jun, 2025 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Notice Board System admin-profile.php sql injection

A vulnerability has been found in PHPGurukul Notice Board System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin-profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-PHPGurukul LLP
Product-notice_board_systemNotice Board System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5615
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.94%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 22:00
Updated-10 Jun, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Fire Reporting System details.php sql injection

A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /details.php. The manipulation of the argument requestid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_fire_reporting_systemOnline Fire Reporting System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5546
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.37%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 23:31
Updated-10 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Daily Expense Tracker System expense-reports-detailed.php sql injection

A vulnerability classified as critical was found in PHPGurukul Daily Expense Tracker System 1.1. This vulnerability affects unknown code of the file /expense-reports-detailed.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-daily_expense_tracker_systemDaily Expense Tracker System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-51771
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.74% / 50.19%
||
7 Day CHG~0.00%
Published-03 Dec, 2024 | 20:02
Updated-07 Apr, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Remote Code Execution (RCE) via OGNL Injection in HPE Aruba Networking ClearPass Web-Based Management Interface

A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote threat actor to conduct a remote code execution attack. Successful exploitation could enable the attacker to run arbitrary commands on the underlying operating system.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-clearpass_policy_managerHPE Aruba Networking ClearPass Policy Managerclearpass_policy_manager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-55227
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-1.25% / 65.76%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 17:01
Updated-20 Feb, 2026 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SQL Server Elevation of Privilege Vulnerability

Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-sql_server_2017sql_server_2016sql_server_2019sql_server_2022Microsoft SQL Server 2019 (GDR)Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature PackMicrosoft SQL Server 2016 Service Pack 3 (GDR)Microsoft SQL Server 2019 (CU 32)Microsoft SQL Server 2017 (GDR)Microsoft SQL Server 2022 (CU 20)Microsoft SQL Server 2017 (CU 31)Microsoft SQL Server 2022 (GDR)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5569
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.27% / 66.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 05:31
Updated-03 Oct, 2025 | 01:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IdeaCMS getList.html Goods sql injection

A vulnerability was found in IdeaCMS up to 1.7 and classified as critical. This issue affects the function Article/Goods of the file /api/v1.index.article/getList.html. The manipulation of the argument Field leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.8 is able to address this issue. The patch is named 935aceb4c21338633de6d41e13332f7b9db4fa6a. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-ideacmsn/a
Product-ideacmsIdeaCMS
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-5439
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.05% / 94.09%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 09:31
Updated-02 Jul, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 verifyFacebookLike os command injection

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been rated as critical. Affected by this issue is the function verifyFacebookLike of the file /goform/verifyFacebookLike. The manipulation of the argument uid/accessToken leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re9000_firmwarere6250re7000re6300re6300_firmwarere7000_firmwarere6500_firmwarere9000re6350re6350_firmwarere6250_firmwarere6500RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51257
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.38% / 29.53%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 00:00
Updated-10 Apr, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5403
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.80%
||
7 Day CHG~0.00%
Published-01 Jun, 2025 | 16:00
Updated-10 Nov, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
chaitak-gorai Blogbook GET Parameter view_all_posts.php sql injection

A vulnerability classified as critical has been found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513. This affects an unknown part of the file /admin/view_all_posts.php of the component GET Parameter Handler. The manipulation of the argument post_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-chaitak-goraichaitak-gorai
Product-blogbookBlogbook
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-50852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.64% / 73.53%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 00:00
Updated-21 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetUSBPartitionUmount function.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g3_firmwaren/ag3
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 25
  • 26
  • Next
Details not found