Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-27797

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-09 Apr, 2025 | 09:03
Updated At-09 Apr, 2025 | 14:57
Rejected At-
Credits

OS command injection vulnerability in the specific service exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to the product.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:09 Apr, 2025 | 09:03
Updated At:09 Apr, 2025 | 14:57
Rejected At:
â–¼CVE Numbering Authority (CNA)

OS command injection vulnerability in the specific service exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to the product.

Affected Products
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-WPS-11ac
Versions
Affected
  • v2.0.03P and earlier
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-WPS-11ac-P
Versions
Affected
  • v2.0.03P and earlier
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-WPSM-11ac
Versions
Affected
  • v2.0.03P and earlier
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-WPSM-11ac-P
Versions
Affected
  • v2.0.03P and earlier
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-PD-WPS-11ac
Versions
Affected
  • v2.0.03P and earlier
Vendor
Inaba Denki Sangyo Co., Ltd.
Product
AC-PD-WPS-11ac-P
Versions
Affected
  • v2.0.03P and earlier
Problem Types
TypeCWE IDDescription
CWECWE-78Improper neutralization of special elements used in an OS command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: Improper neutralization of special elements used in an OS command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.inaba.co.jp/abaniact/news/security_20250404.pdf
N/A
https://jvn.jp/en/vu/JVNVU93925742/
N/A
Hyperlink: https://www.inaba.co.jp/abaniact/news/security_20250404.pdf
Resource: N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU93925742/
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:09 Apr, 2025 | 09:15
Updated At:09 Apr, 2025 | 09:15

OS command injection vulnerability in the specific service exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to the product.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primaryvultures@jpcert.or.jp
CWE ID: CWE-78
Type: Primary
Source: vultures@jpcert.or.jp
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jvn.jp/en/vu/JVNVU93925742/vultures@jpcert.or.jp
N/A
https://www.inaba.co.jp/abaniact/news/security_20250404.pdfvultures@jpcert.or.jp
N/A
Hyperlink: https://jvn.jp/en/vu/JVNVU93925742/
Source: vultures@jpcert.or.jp
Resource: N/A
Hyperlink: https://www.inaba.co.jp/abaniact/news/security_20250404.pdf
Source: vultures@jpcert.or.jp
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1382Records found
CVE-2022-36231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-27.10% / 96.30%
||
7 Day CHG-0.19%
Published-23 Feb, 2023 | 00:00
Updated-13 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.

Action-Not Available
Vendor-newspaperclubn/a
Product-pdf_infon/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-53941
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-68.64% / 98.60%
||
7 Day CHG+11.18%
Published-18 Dec, 2025 | 19:53
Updated-26 Dec, 2025 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EasyPHP Webserver 14.1 Remote Code Execution

EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges.

Action-Not Available
Vendor-easyphpEasyphp
Product-webserverEasyPHP Webserver
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-53948
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-0.37% / 58.47%
||
7 Day CHG+0.02%
Published-19 Dec, 2025 | 21:05
Updated-23 Dec, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lilac-Reloaded for Nagios 2.0.8 Remote Code Execution via Autodiscovery

Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint.

Action-Not Available
Vendor-cat03
Product-Lilac-Reloaded
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-53963
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-2.54% / 85.27%
||
7 Day CHG+0.11%
Published-22 Dec, 2025 | 21:37
Updated-13 Jan, 2026 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Remote Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges.

Action-Not Available
Vendor-sound4SOUND4 Ltd.Kantar Media
Product-wm2_firmwarepulse_eco_firmwareimpact_ecowm2pulseimpact_eco_firmwarefirstimpact_firmwarebig_voice2_firmwarefirst_firmwarepulse_ecostream_extensionimpactpulse_firmwarebig_voice4_firmwarebig_voice2big_voice4Impact/Pulse EcoWM2BigVoice4StreamImpact/Pulse/FirstBigVoice2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36260
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
CVSS Score-9.8||CRITICAL
EPSS-94.44% / 99.99%
||
7 Day CHG~0.00%
Published-22 Sep, 2021 | 12:07
Updated-10 Nov, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-01-24||Apply updates per vendor instructions.

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Action-Not Available
Vendor-n/aHIKVISION
Product-ds-2dy92500x-a\(t5\)_firmwareds-2td1117-6\/pa_firmwareds-2cd2046g2-iu\/slds-2cd2123g2-iuds-2td8167-190ze2f\/wyds-2cd2143g2-iu_firmwareds-2td8166-180ze2f\/v2ds-2cd2743g2-izs_firmwareds-2df8236i5x-aelwptz-n4225i-de_firmwareds-2td1217b-3\/pads-2cd3156g2-is\(u\)_firmwareds-2df8a442ixs-ael\(t5\)_firmwareds-2cd3556g2-is_firmwareptz-n2404i-de3ds-2cd2686g2-izsu\/sl_firmwareds-2td6267-75c4l\/w_firmwareds-2cd2783g2-izs_firmwareds-2cd2066g2-iu\/slds-2cd3726g2-izsds-2df7225ix-aelw\(t3\)ds-2dy9236i8x-a\(t3\)_firmwareds-2td8167-190ze2f\/wy_firmwareds-7608ni-q2ds-2cd2121g1-idwds-2cd2786g2-izsds-2cd2147g2-l\(su\)ds-2df8442ixs-aelw\(t5\)ids-2vs435-f840-ey_firmwareds-2xe6242f-is\/316l\(b\)_firmwareds-2cd2346g2-isu\/slds-2cd2766g2-izs_firmwareds-2dyh2a0ixs-d\(t2\)_firmwareds-2td6267-100c4l\/wds-2td8167-230zg2f\/wyds-7616ni-q2_firmwareds-2cd2086g2-iu\/sl_firmwareds-2cd3056g2-is_firmwareds-2cd3143g2-i\(s\)u_firmwareds-2cd2047g2-l\(u\)ds-2cd2586g2-i\(s\)ds-7608ni-k1\/8pds-2cd2123g2-iu_firmwareds-2df8a442ixs-aely\(t5\)_firmwareds-2cd2366g2-isu\/slds-2cd2163g2-i\(s\)ds-2td8166-150ze2f\/v2_firmwareds-2cd3586g2-is_firmwareds-2td6237-50h4l\/w_firmwareds-2td4166t-9_firmwareids-2vs435-f840-ey\(t3\)_firmwareds-2cd3523g2-is_firmwareds-2cd2347g2-lsu\/sl_firmwareds-2cd2163g2-i\(s\)_firmwareds-2df8425ix-aelw\(t5\)_firmwareds-2td6266t-25h2l_firmwareds-2df8242ix-ael\(t5\)ds-2cd3056g2iu\/sl_firmwareds-2cd3743g2-izsds-2df6a825x-ael_firmwareds-2td8167-230zg2f\/w_firmwareds-2df8225ix-ael\(t3\)ds-2cd2086g2-i\(u\)_firmwareds-2cd2563g2-i\(s\)ds-2cd3126g2-isds-7616ni-q2\/16pds-2cd2686g2-izsds-2cd3356g2-isu\/slds-2df7225ix-ael\(t3\)ds-2cd2766g2-izsds-2td6237-50h4l\/wds-2df8a442ixs-aely\(t5\)ds-2td6267-50h4l\/w_firmwareds-2cd2121g0-i\(w\)\(s\)_firmwareds-2td8167-230zg2f\/wy_firmwareds-7104ni-q1\/4p\/mds-2td6237-75c4l\/wds-2df6a436x-aely\(t5\)_firmwareds-2td6236t-50h2lds-2cd3347g2-ls\(u\)ds-2df8436i5x-aelw\(t3\)ids-2sk718mxs-d_firmwareds-2cd2163g2-iuds-7608ni-k1ds-2cd2021g1-i\(w\)ds-7608ni-k1\/4gds-2cd2526g2-isds-2cd2087g2-l\(u\)_firmwareds-2cd2646g2-izsu\/slds-7604ni-k1_firmwareds-2cd2643g2-izs_firmwareds-2cd2366g2-i\(u\)ds-2cd3756g2-izs_firmwareds-2cd2663g2-izs_firmwareds-2cd2147g2-l\(su\)_firmwareds-2xe6422fwd-izhrs_firmwareds-2cd3626g2-izsds-2df6a825x-aelds-7104ni-q1\/4pds-7608ni-q2_firmwareds-2cd3626g2-izs_firmwareds-2cd3363g2-iu_firmwareds-2cd3523g2-isds-2cd2523g2-i\(u\)ds-7108ni-q1\/8p\/m_firmwareds-2cd2183g2-i\(s\)_firmwareds-7604ni-k1ds-2cd2186g2-i\(su\)_firmwareds-2cd2183g2-i\(s\)ds-2df8a442ixs-ael\(t5\)ds-2cd3726g2-izs_firmwareds-2dy9236i8x-a_firmwareds-2cd2343g2-i\(u\)ds-2cd3343g2-iu_firmwareds-7608ni-q1_firmwareds-2cd3343g2-iuds-2cd3126g2-is_firmwareds-2xe6452f-izh\(r\)s_firmwareptz-n4215i-deds-2cd2023g2-i\(u\)ds-2cd3686g2-izsds-7104ni-q1ds-2cd3086g2-isds-2cd3547g2-ls_firmwareds-2td8166-150zh2f\/v2ds-2td8167-230zg2f\/wds-2cd2386g2-i\(u\)_firmwareds-7104ni-q1\/4p_firmwareds-2cd2183g2-i\(u\)ds-2cd2066g2-iu\/sl_firmwareds-2td6266t-50h2lds-2cd2666g2-izs_firmwareds-2cd3123g2-i\(s\)u_firmwareds-2cd3123g2-i\(s\)uds-2df8a842ixs-ael\(t5\)ds-2cd2121g1-idw_firmwareds-2df8236i5x-aelw_firmwareds-2cd2546g2-i\(s\)_firmwareds-2cd3543g2-isds-2cd2566g2-i\(s\)ds-2dy9250izs-a\(t5\)_firmwareds-2cd2386g2-isu\/sl_firmwareds-2cd2763g2-izsds-2dy9240ix-a\(t5\)ds-2df8242i5x-aelw\(t3\)ids-2pt9a144mxs-d\/t2_firmwareds-7616ni-q1ds-2td6266t-25h2lds-2df8225ix-ael\(t5\)_firmwareds-2cd2027g2-l\(u\)_firmwareds-2cd3386g2-is_firmwareds-7616ni-q2\/16p_firmwareds-2df8242ix-aely\(t3\)ds-2cd2546g2-i\(s\)ds-2cd3026g2-isds-2cd3543g2-is_firmwareds-2cd2366g2-i\(u\)_firmwareds-7608ni-q2\/8pds-2cd2626g2-izsu\/sl_firmwareds-2cd2387g2-l\(u\)ds-2cd2021g1-i\(w\)_firmwareds-2td4167-50\/w_firmwareds-7108ni-q1\/8p\/mds-2cd3526g2-is_firmwareds-2cd3723g2-izs_firmwareds-2cd3326g2-isu\/slds-2cd2586g2-i\(s\)_firmwareds-2cd3023g2-iu_firmwareds-2cd2121g1-i\(w\)_firmwareds-2df6a225x-ael\)t3\)ds-2cd2321g0-i\/nfids-2vs435-f840-eyds-2cd3643g2-izsds-7608ni-q1ds-2cd2366g2-isu\/sl_firmwareds-2td8167-190ze2f\/wds-2td8166-100c2f\/v2_firmwareds-2td8167-150zc4f\/w_firmwareds-2cd3043g2-iu_firmwareds-2df8242ix-aelw\(t3\)_firmwareds-7604ni-q1_firmwareds-2df8225ix-aelw\(t3\)ds-2cd2666g2-izsds-2df6a836x-ael\(t5\)ds-2cd3723g2-izsds-2df8225ix-ael\(t5\)ds-2cd2646g2-izsu\/sl_firmwareds-2cd2543g2-i\(ws\)ds-2df8442ixs-ael\(t5\)_firmwareds-2df8425ix-ael\(t5\)ds-2td8167-190ze2f\/w_firmwareds-2td1217b-3\/pa_firmwareds-2cd2786g2-izs_firmwareds-2cd3623g2-izs_firmwareds-2cd3786g2-izs_firmwareds-2cd3056g2-iu\/sl_firmwareds-2cd2023g2-i\(u\)_firmwareds-2df8242i5x-ael\(t3\)_firmwareds-2xe6452f-izh\(r\)sds-2cd2186g2-i\(su\)ptz-n4215-de3_firmwareds-2td4167-25\/wds-2cd3563g2-is_firmwareds-7608ni-k1\/8p\/4g_firmwareds-2cd2621g0-i\(z\)\(s\)_firmwareds-2cd2723g2-izsds-2cd2523g2-i\(u\)_firmwareds-2df6a436x-ael\(t5\)ds-2df6a436x-ael\(t3\)_firmwareptz-n2204i-de3_firmwareds-2td1117-3\/pads-7108ni-q1\/mds-2cd3023g2-iuds-2df5225x-ae3\(t3\)ds-2cd2383g2-i\(u\)_firmwareds-2td4137-25\/wds-7604ni-q1\/4pds-2cd2526g2-is_firmwareds-2xe6242f-is\/316l\(b\)ds-2cd2623g2-izsds-2cd2183g2-iu_firmwareds-2df8225ix-aelw\(t3\)_firmwareds-2cd2683g2-izs_firmwareds-2cd2043g2-i\(u\)_firmwareds-2cd3126g2-is\(u\)ds-2cd3656g2-izs_firmwareds-2df8225ih-aelds-7608ni-k1\/4g_firmwareds-2df8a442ixs-ael\(t2\)_firmwareds-2df7232ix-ael\(t3\)_firmwareds-2df8425ix-ael\(t3\)_firmwareds-2td4167-50\/wds-2cd2583g2-i\(s\)_firmwareds-2df8242i5x-aelw\(t3\)_firmwareds-2cd2383g2-i\(u\)ds-2df5225x-ael\(t3\)ds-2df8242ix-aelw\(t3\)ds-2xe6422fwd-izhrsds-2df8242i5x-ael\(t3\)ds-2td6267-75c4l\/wds-2cd2166g2-i\(su\)_firmwareds-2df8a842ixs-ael\(t5\)_firmwareids-2sk8144ixs-d\/j_firmwareds-2cd3356g2-isds-760ni-k1\/4p_firmwareds-2cd3586g2-isds-2cd2127g2-\(-su\)_firmwareds-2cd2363g2-i\(u\)_firmwareds-2cd3086g2-is_firmwareds-2cd2166g2-i\(su\)ds-2cd2347g2-l\(u\)ds-2cd3547g2-lsds-7108ni-q1_firmwareds-7108ni-q1ds-2cd3563g2-isds-2xe6482f-izhrs_firmwareds-2cd2527g2-ls_firmwareptz-n4215-de3ds-2df8442ixs-aelw\(t2\)_firmwareds-2td8166-150zh2f\/v2_firmwareds-2cd3623g2-izsds-2cd2743g2-izsds-2cd2563g2-i\(s\)_firmwareds-2td4167-25\/w_firmwareds-2cd2063g2-i\(u\)ds-2cd3763g2-izsds-2td1217b-6\/pads-2cd2323g2-i\(u\)_firmwareptz-n4225i-deds-2cd2327g2-l\(u\)_firmwareds-2cd2721g0-i\(z\)\(s\)_firmwareds-2cd2121g0-i\(w\)\(s\)ds-7604ni-q1\/4p_firmwareds-2cd3663g2-izsds-2df8442ixs-aely\(t5\)_firmwareds-2cd2526g2-i\(s\)ds-2dy92500x-a\(t5\)ds-2td6266t-50h2l_firmwareds-2td8166-75c2f\/v2ds-7604ni-k1\/4p\/4gds-2cd2683g2-izsds-2td6237-75c4l\/w_firmwareds-2cd3786g2-izsds-2cd2723g2-izs_firmwareds-7104ni-q1\/mds-2cd2086g2-i\(u\)ds-2cd3643g2-izs_firmwareds-2dy9240ix-a\(t5\)_firmwareds-2cd2123g2-i\(s\)ds-2cd3386g2-is\(u\)ds-2cd2446g2-ids-2cd2363g2-i\(u\)ds-2cd3386g2-is\(u\)_firmwareds-2cd3663g2-izs_firmwareds-2cd2621g0-i\(z\)\(s\)ds-2cd2583g2-i\(s\)ds-2td1117-3\/pa_firmwareds-2cd2686g2-izsu\/slds-2cd2047g2-l\(u\)_firmwareds-7608ni-k1_firmwareds-2df7225ix-aelw\(t3\)_firmwareds-2df6a436x-ael\(t5\)_firmwareds-2cd2426g2-ids-2dy9236i8x-ads-2cd2043g2-i\(u\)ds-2df6a836x-ael\(t5\)_firmwareds-2df8436i5x-aelw\(t3\)_firmwareds-2df5232x-ael\(t3\)_firmwareds-2cd2446g2-i_firmwareds-2df7232ix-aelw\(t3\)ds-2cd2027g2-l\(u\)ds-2cd3056g2-iu\/slds-2cd3347g2-ls\(u\)_firmwareds-7608ni-q1\/8p_firmwareds-2df8225ix-ael\(t3\)_firmwareptz-n4215i-de_firmwareds-2cd2566g2-i\(s\)_firmwareds-2cd3043g2-iuds-2cd3323g2-iu_firmwareds-2df8442ixs-aely\(t5\)ds-2df8a442nxs-ael\(t5\)_firmwareds-2df5232x-ael\(t3\)ds-2cd2063g2-i\(u\)_firmwareds-2df7225ix-ael\(t3\)_firmwareds-7616ni-k1_firmwareds-2cd2386g2-i\(u\)ptz-n5225i-ads-2df8442ixs-aelwy\(t5\)ds-2df6a236x-ael\(t3\)_firmwareds-2dy9250izs-a\(t5\)ds-2cd3323g2-iuds-2df8425ix-ael\(t3\)ds-2cd3026g2-iu\/slds-2cd2127g2-\(-su\)ds-2cd2027g2-lu\/sl_firmwareds-2df5225x-ae3\(t3\)_firmwareds-2df8442ixs-aelw\(t2\)ds-7616ni-k1ds-2cd3156g2-isds-2cd2143g2-i\(s\)ds-2cd3126g2-is\(u\)_firmwareds-2df8225ih-ael\(w\)ds-7616ni-q2ds-2cd2421g0-i\(d\)\(w\)ds-2cd2421g0-i\(d\)w_firmwareds-2cd2086g2-iu\/slds-2df8a442ixs-ael\(t2\)ds-7608ni-q2\/8p_firmwareds-2df5232x-ae3\)t3\)ds-2df6a436x-ael\(t3\)ds-2td6236t-50h2l_firmwareds-2cd3163g2-i\(s\)u_firmwareds-2td8166-180ze2f\/v2_firmwareds-2df6a425x-ael\(t3\)_firmwareds-2df8242i5x-aelw\(t5\)_firmwareds-2cd3047g2-ls_firmwareds-2cd3526g2-isds-2cd2527g2-lsds-2cd2323g2-i\(u\)ds-2cd3026g2-iu\/sl_firmwareds-2df8225ix-aelw\(t5\)_firmwareds-2cd3686g2-izs_firmwareds-2df7232ix-aelw\(t3\)_firmwareds-2df8225ix-aelw\(t5\)ds-2td6267-75c4l\/wyds-2cd2547g2-lzs_firmwareds-2cd2547g2-lzsds-2cd2066g2-i\(u\)_firmwareds-2cd2523g2-i\(s\)ds-7108ni-q1\/8pds-2cd2321g0-i\/nf_firmwareds-2td4137-50\/w_firmwareds-2dyh2a0ixs-d\(t2\)ds-2td8166-75c2f\/v2_firmwareds-2cd2643g2-izsds-2cd3656g2-izsds-7104ni-q1_firmwareds-2df8242ix-aely\(t3\)_firmwareds-2cd2626g2-izsu\/slds-2dy9236ix-a\(t3\)_firmwareds-7104ni-q1\/m_firmwareds-2cd2421g0-i\(d\)wds-2cd2543g2-i\(ws\)_firmwareds-2td4166t-9ds-2dy9236x-a\(t3\)_firmwareds-2df5232x-ae3\)t3\)_firmwareds-2cd3186g2-is\(u\)ds-2cd3047g2-lsds-2df8242i5x-aelw\(t5\)ds-2td8167-150zc4f\/wds-2cd2426g2-i_firmwareds-7608ni-k1\/8p_firmwareds-2td6267-75c4l\/wy_firmwareds-2cd2526g2-i\(s\)_firmwareds-2cd3356g2-is\(u\)_firmwareds-2td4136t-9_firmwareds-2df6a236x-ael\(t3\)ds-2td1117-2\/pa_firmwareds-2cd2186g2-isuds-2df8425ix-ael\(t5\)_firmwareds-2df8442ixs-ael\(t5\)ds-2cd2343g2-i\(u\)_firmwareds-2td6267-100c4l\/wy_firmwareds-2td6267-100c4l\/w_firmwareds-2cd2123g2-i\(s\)_firmwareds-2dy9236ix-a\(t3\)ids-2sk8144ixs-d\/jds-2td6267-100c4l\/wyds-2cd3763g2-izs_firmwareds-2cd3356g2-is\(u\)ds-2cd2026g2-iu\/sl_firmwareds-2cd2547g2-lsds-2cd3756g2-izsds-2cd2523g2-i\(s\)_firmwareds-2cd2143g2-i\(s\)_firmwareds-2dy9236i8x-a\(t3\)ds-2cd3186g2-is\(u\)_firmwareds-2td1117-2\/pads-2cd2666g2-izsu\/sl_firmwareds-2cd2121g1-i\(w\)ds-2cd2186g2-isu_firmwareds-2cd3156g2-is_firmwareids-2vs435-f840-ey\(t3\)ds-7108ni-q1\/m_firmwareds-2cd3326g2-isu\/sl_firmwareds-2cd3163g2-i\(s\)uds-7108ni-q1\/8p_firmwareds-7608ni-k1\/8p\/4gds-2cd2083g2-i\(u\)ds-2cd3363g2-iuds-2df8a442nxs-ael\(t5\)ds-2cd2783g2-izsds-2cd3056g2-isptz-n5225i-a_firmwareds-2cd2387g2-l\(u\)_firmwareids-2pt9a144mxs-d\/t2ds-2df8442ixs-aelwy\(t5\)_firmwareds-2df8a442ixs-af\/sp\(t5\)_firmwareds-2cd3063g2-iuds-2cd2163g2-iu_firmwareds-2cd2326g2-isu\/sl_firmwareds-2cd3386g2-isds-2cd2087g2-l\(u\)ds-2cd2183g2-iuds-2cd2083g2-i\(u\)_firmwareds-2cd2346g2-isu\/sl_firmwareds-2df6a225x-ael\)t3\)_firmwareds-2cd2421g0-i\(d\)\(w\)_firmwareds-2cd2066g2-i\(u\)ds-2df8225ih-ael\(w\)_firmwareds-2df8242ix-ael\(t5\)_firmwareds-7616ni-q1_firmwareds-2cd2027g2-lu\/slds-2cd2347g2-l\(u\)_firmwareds-2xe6442f-izhrs\(b\)ds-2cd2183g2-i\(u\)_firmwareds-2df6a425x-ael\(t3\)ds-2cd2121g1_firmwareds-7604ni-q1ds-2cd3063g2-iu_firmwareptz-n2404i-de3_firmwareds-2df7232ix-ael\(t3\)ds-2xe6442f-izhrs\(b\)_firmwareds-2df6a436x-aely\(t5\)ds-2cd3356g2-is_firmwareds-2cd2327g2-l\(u\)ds-2cd3743g2-izs_firmwareds-760ni-k1\/4pds-2df8250i8x-ael\(t3\)ds-2df8425ix-aelw\(t5\)ds-2cd3056g2iu\/slds-2cd2386g2-isu\/slds-2xe6482f-izhrsds-2dy9236x-a\(t3\)ds-2df8250i8x-ael\(t3\)_firmwareds-2df5225x-ael\(t3\)_firmwareds-2cd2046g2-iu\/sl_firmwareds-2df8442ixs-aelw\(t5\)_firmwareds-2cd2666g2-izsu\/slds-2cd2763g2-izs_firmwareds-2cd2026g2-iu\/slds-2cd2121g1ds-2cd3143g2-i\(s\)uds-2cd3556g2-isds-2td1217b-6\/pa_firmwareds-2cd2143g2-iuds-2cd2326g2-isu\/slds-2cd2663g2-izsds-2cd3026g2-is_firmwareds-2cd2547g2-ls_firmwareds-2td1117-6\/pads-7604ni-k1\/4p\/4g_firmwareds-7104ni-q1\/4p\/m_firmwareds-2td4136t-9ds-2cd2347g2-lsu\/slds-2cd2623g2-izs_firmwareds-2td8166-150ze2f\/v2ptz-n2204i-de3ds-2td4137-25\/w_firmwareds-2td4137-50\/wds-7608ni-q1\/8pds-2cd2686g2-izs_firmwareds-2td6267-50h4l\/wds-2cd3356g2-isu\/sl_firmwareds-2df8425ix-aelw\(t3\)_firmwareds-2cd3156g2-is\(u\)ds-2cd2721g0-i\(z\)\(s\)ds-2df8225ih-ael_firmwareds-2df8425ix-aelw\(t3\)ds-2td8166-100c2f\/v2ds-2df8a442ixs-af\/sp\(t5\)ids-2sk718mxs-dn/aSecurity cameras web server
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36380
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.64% / 99.84%
||
7 Day CHG~0.00%
Published-13 Aug, 2021 | 15:53
Updated-05 Nov, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-03-26||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.

Action-Not Available
Vendor-sunhillon/asunhilloSunhillo
Product-surelinen/asurelineSureLine
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36287
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.3||HIGH
EPSS-2.11% / 83.89%
||
7 Day CHG~0.00%
Published-08 Apr, 2022 | 19:50
Updated-16 Sep, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell VNX2 for file version 8.1.21.266 and earlier, contain an unauthenticated remote code execution vulnerability which may lead unauthenticated users to execute commands on the system.

Action-Not Available
Vendor-Dell Inc.
Product-vnxe1600vnx5600vnx5400vnx5800vnx_vg10emc_unity_operating_environmentvnx5200vnx_vg50vnx7600vnx8000VNX2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-52310
Matching Score-4
Assigner-Baidu, Inc.
ShareView Details
Matching Score-4
Assigner-Baidu, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.26% / 48.78%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 08:14
Updated-17 Apr, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection in get_online_pass_interval

PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.

Action-Not Available
Vendor-paddlepaddlePaddlePaddle
Product-paddlepaddlePaddlePaddle
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51984
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.08% / 94.24%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 00:00
Updated-16 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-822+ V1.0.2 was found to contain a command injection in SetStaticRouteSettings function. allows remote attackers to execute arbitrary commands via shell.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-822dir-822_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-52311
Matching Score-4
Assigner-Baidu, Inc.
ShareView Details
Matching Score-4
Assigner-Baidu, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.26% / 48.78%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 08:15
Updated-17 Jun, 2025 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection in _wget_download

PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.

Action-Not Available
Vendor-paddlepaddlePaddlePaddle
Product-paddlepaddlePaddlePaddle
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-52026
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.58% / 87.57%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 00:00
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink EX1800T V9.1.0cu.2112_B20220316 was discovered to contain a remote command execution (RCE) vulnerability via the telnet_enabled parameter of the setTelnetCfg interface

Action-Not Available
Vendor-n/aTOTOLINK
Product-ex1800t_firmwareex1800tn/aex1800t
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51028
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.91%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK EX1800T 9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the apcliChannel parameter of the setWiFiExtenderConfig interface of the cstecgi.cgi.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ex1800t_firmwareex1800tn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-50147
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.19% / 78.63%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 00:00
Updated-28 Aug, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an arbitrary command execution vulnerability in the setDiagnosisCfg function of the cstecgi .cgi of the TOTOlink A3700R router device in its firmware version V9.1.2u.5822_B20200513.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3700ra3700r_firmwaren/aa3700r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51099
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.88% / 82.95%
||
7 Day CHG~0.00%
Published-26 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a command injection vulnerability via the function formexeCommand .

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-w9_firmwarew9n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51094
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-26 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda M3 V1.0.0.12(4856) was discovered to contain a Command Execution vulnerability via the function TendaTelnet.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-m3m3_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51033
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 53.91%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi setOpModeCfg interface.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ex1200l_firmwareex1200ln/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-50993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.95%
||
7 Day CHG~0.00%
Published-20 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 v1.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 was discovered to contain a command injection vulnerability via the function downFiles.

Action-Not Available
Vendor-n/aRuijie Networks Co., Ltd.
Product-rg-ws6008rg-ws6108rg-ws6008_firmwarerg-ws6108_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-35394
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.80% / 99.86%
||
7 Day CHG-0.42%
Published-16 Aug, 2021 | 11:07
Updated-07 Nov, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-12-24||Apply updates per vendor instructions.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

Action-Not Available
Vendor-n/aRealtek Semiconductor Corp.
Product-rtl819x_jungle_software_development_kitn/aJungle Software Development Kit (SDK)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51100
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.04% / 83.63%
||
7 Day CHG~0.00%
Published-26 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a command injection vulnerability via the function formGetDiagnoseInfo .

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-w9_firmwarew9n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-50651
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.42% / 90.02%
||
7 Day CHG~0.00%
Published-30 Dec, 2023 | 00:00
Updated-17 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x6000r_firmwarex6000rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-51035
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.16% / 36.42%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 22:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution on the cstecgi.cgi NTPSyncWithHost interface.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ex1200l_firmwareex1200ln/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33962
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.83% / 87.98%
||
7 Day CHG~0.00%
Published-14 Jan, 2022 | 11:49
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

China Mobile An Lianbao WF-1 router v1.0.1 is affected by an OS command injection vulnerability in the web interface /api/ZRUsb/pop_usb_device component.

Action-Not Available
Vendor-chinamobileltdn/a
Product-an_lianbao_wf-1an_lianbao_wf_firmware-1n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-49.86% / 97.77%
||
7 Day CHG~0.00%
Published-16 Apr, 2023 | 00:00
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-liferay_portaln/aportal
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-281
Improper Preservation of Permissions
CVE-2021-34082
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.29% / 94.05%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 14:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function.

Action-Not Available
Vendor-proctree_projectn/a
Product-proctreen/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.24% / 93.05%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 14:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml file.

Action-Not Available
Vendor-docker-tester_projectn/a
Product-docker-testern/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-45491
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.29% / 87.01%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 00:00
Updated-13 May, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-e5600e5600_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33841
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-10||CRITICAL
EPSS-1.48% / 80.78%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 11:50
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Circutor SGE-PLC1000 OS command Injection

SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges.

Action-Not Available
Vendor-circutorCircutor
Product-sge-plc1000_firmwaresge-plc1000SGE-PLC1000
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34351
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 78.85%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 00:45
Updated-16 Sep, 2024 | 22:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-34348
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.90% / 75.41%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 00:45
Updated-16 Sep, 2024 | 22:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-34080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.69% / 94.38%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 14:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.

Action-Not Available
Vendor-ssl-utils_projectn/a
Product-ssl-utilsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-44882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.32% / 87.09%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 00:00
Updated-30 May, 2025 | 01:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the component /cgi-bin/firewall.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn579a3_firmwarewl-wn579a3n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34084
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.69% / 94.38%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 14:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.

Action-Not Available
Vendor-s3-uploader_projectn/a
Product-s3-uploadern/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.01% / 88.28%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 02:10
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

Action-Not Available
Vendor-thecusn/a
Product-n4800econ4800eco_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-43984
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 58.71%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 00:00
Updated-15 Aug, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34352
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-4.18% / 88.54%
||
7 Day CHG~0.00%
Published-01 Oct, 2021 | 02:50
Updated-17 Sep, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210902 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-44880
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.32% / 87.09%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 00:00
Updated-30 May, 2025 | 01:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the component /cgi-bin/adm.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn579a3_firmwarewl-wn579a3n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32531
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.44% / 80.52%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-17 Sep, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN XEVO - Command Injection Following via Init function

OS command injection vulnerability in Init function in QSAN XEVO allows remote attackers to execute arbitrary commands without permissions. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.

Action-Not Available
Vendor-qsanQSAN
Product-xevoXEVO
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32673
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.80% / 82.56%
||
7 Day CHG~0.00%
Published-08 Jun, 2021 | 17:00
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Command Execution in reg-keygen-git-hash-plugin

reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue.

Action-Not Available
Vendor-reg-keygen-git-hash_projectreg-viz
Product-reg-keygen-git-hashreg-suit
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32512
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.17% / 78.52%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:11
Updated-16 Sep, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN Storage Manager - Command Injection Following via QuickInstall function

QuickInstall in QSAN Storage Manager does not filter special parameters properly that allows remote unauthenticated attackers to inject and execute arbitrary commands. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.

Action-Not Available
Vendor-qsanQSAN
Product-storage_managerStorage Manager
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32974
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 74.55%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 22:17
Updated-16 Apr, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moxa NPort IAW5000A-I/O Series Serial Device Server Improper Input Validation

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

Action-Not Available
Vendor-Moxa Inc.
Product-nport_iaw5150a-12i\/o_firmwarenport_iaw5250a-6i\/onport_iaw5150a-6i\/o_firmwarenport_iaw5150a-6i\/onport_iaw5250a-6i\/o_firmwarenport_iaw5250a-12i\/onport_iaw5150a-12i\/onport_iaw5250a-12i\/o_firmwareNPort IAW5000A-I/O series firmware
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32513
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.17% / 78.52%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:11
Updated-16 Sep, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN Storage Manager - Command Injection Following via QsanTorture function

QsanTorture in QSAN Storage Manager does not filter special parameters properly that allows remote unauthenticated attackers to inject and execute arbitrary commands. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.

Action-Not Available
Vendor-qsanQSAN
Product-storage_managerStorage Manager
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-45858
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.77% / 91.18%
||
7 Day CHG-0.63%
Published-13 May, 2025 | 00:00
Updated-23 May, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3002ra3002r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32605
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.91% / 95.67%
||
7 Day CHG~0.00%
Published-11 May, 2021 | 22:25
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block.

Action-Not Available
Vendor-zzzcmsn/a
Product-zzzphpn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.88% / 99.77%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 17:51
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-raspapn/a
Product-raspapn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32682
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-92.77% / 99.76%
||
7 Day CHG~0.00%
Published-14 Jun, 2021 | 16:45
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities leading to RCE

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Action-Not Available
Vendor-std42Studio-42
Product-elfinderelFinder
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-44635
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.87% / 74.99%
||
7 Day CHG+0.09%
Published-20 Jun, 2025 | 00:00
Updated-24 Jun, 2025 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There are multiple unauthorized remote command execution vulnerabilities in the H3C ER2200G2, ERG2-450W, ERG2-1200W, ERG2-1350W, NR1200W series routers before ERG2AW-MNW100-R1117; H3C ER3100G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2, ER6300G2, ER8300G2, ER8300G2-X series routers before ERHMG2-MNW100-R1126; GR3200, GR5200, GR8300 and other series routers before MiniGR1B0V100R018L50; GR-1800AX before MiniGRW1B0V100R009L50; GR-3000AX before SWBRW1A0V100R007L50; and GR-5400AX before SWBRW1B0V100R009L50. Attackers can bypass authentication by including specially crafted text in the request URL or message header, and then inject arbitrary malicious commands into some fields related to ACL access control list and user group functions and execute to obtain the highest ROOT privileges of remote devices, thereby completely taking over the remote target devices.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32933
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.30% / 52.68%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 22:17
Updated-16 Apr, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MDT AutoSave Command Injection

An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process.

Action-Not Available
Vendor-auvesy-mdtMDT Software
Product-autosaveautosave_for_system_platformA4SPAutoSave for System Platform (A4SP)MDT AutoSave
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33191
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.34% / 87.13%
||
7 Day CHG~0.00%
Published-24 Aug, 2021 | 11:20
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MiNiFi CPP arbitrary script execution is possible on the agent's host machine through the c2 protocol

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifi_minifi_c\+\+Apache NiFi - MiNiFi C++
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32305
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.35% / 99.73%
||
7 Day CHG-0.83%
Published-18 May, 2021 | 16:11
Updated-03 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

Action-Not Available
Vendor-websvnn/a
Product-websvnn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-33055
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.78% / 95.66%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:12
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.Microsoft Corporation
Product-manageengine_adselfservice_pluswindowsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • ...
  • 18
  • 19
  • 20
  • ...
  • 27
  • 28
  • Next
Details not found