Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7785

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-04 May, 2026 | 23:45
Updated At-05 May, 2026 | 12:38
Rejected At-
Credits

A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection

A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:04 May, 2026 | 23:45
Updated At:05 May, 2026 | 12:38
Rejected At:
â–¼CVE Numbering Authority (CNA)
A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection

A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

Affected Products
Vendor
A-G-U-P-T-A
Product
wireshark-mcp
Versions
Affected
  • 400c3da70074f22f3cce7ccb65304cafc7089c89
  • edaf604416fbc94a201b4043092d4a1b09a12275
Problem Types
TypeCWE IDDescription
CWECWE-78OS Command Injection
CWECWE-77Command Injection
Type: CWE
CWE ID: CWE-78
Description: OS Command Injection
Type: CWE
CWE ID: CWE-77
Description: Command Injection
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.07.3HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.07.5N/A
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 7.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
CPT_Penner (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-05-04 00:00:00
VulDB entry created2026-05-04 02:00:00
VulDB entry last update2026-05-04 18:09:41
Event: Advisory disclosed
Date: 2026-05-04 00:00:00
Event: VulDB entry created
Date: 2026-05-04 02:00:00
Event: VulDB entry last update
Date: 2026-05-04 18:09:41
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/360985
vdb-entry
technical-description
https://vuldb.com/vuln/360985/cti
signature
permissions-required
https://vuldb.com/submit/807745
third-party-advisory
https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1
exploit
issue-tracking
https://github.com/A-G-U-P-T-A/wireshark-mcp/
product
Hyperlink: https://vuldb.com/vuln/360985
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/360985/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/807745
Resource:
third-party-advisory
Hyperlink: https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/A-G-U-P-T-A/wireshark-mcp/
Resource:
product
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:05 May, 2026 | 00:16
Updated At:05 May, 2026 | 19:10

A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.5MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-77Primarycna@vuldb.com
CWE-78Primarycna@vuldb.com
CWE ID: CWE-77
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-78
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/A-G-U-P-T-A/wireshark-mcp/cna@vuldb.com
N/A
https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1cna@vuldb.com
N/A
https://vuldb.com/submit/807745cna@vuldb.com
N/A
https://vuldb.com/vuln/360985cna@vuldb.com
N/A
https://vuldb.com/vuln/360985/cticna@vuldb.com
N/A
Hyperlink: https://github.com/A-G-U-P-T-A/wireshark-mcp/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/807745
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/360985
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/360985/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

700Records found
CVE-2022-26212
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.34% / 95.08%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-38834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-13.21% / 94.17%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 00:00
Updated-27 Apr, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-w30e_firmwarew30en/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-26188
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.44% / 95.42%
||
7 Day CHG~0.00%
Published-22 Mar, 2022 | 20:13
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-26189
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.44% / 95.42%
||
7 Day CHG~0.00%
Published-22 Mar, 2022 | 20:13
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-25621
Matching Score-4
Assigner-NEC Corporation
ShareView Details
Matching Score-4
Assigner-NEC Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 76.55%
||
7 Day CHG~0.00%
Published-11 Mar, 2022 | 17:54
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11 and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-NEC Platforms, Ltd.NEC Corporation
Product-univerge_wa2020univerge_wa2611-ap_firmwareuniverge_wa2610-ap_firmwareuniverge_wa1511_firmwareuniverge_wa2611-apuniverge_wa1510_firmwareuniverge_wa1020univerge_wa2612-apuniverge_wa2612-ap_firmwareuniverge_wa2020_firmwareuniverge_wa1510univerge_wa2610-apuniverge_wa1512_firmwareuniverge_wa1512univerge_wa1511univerge_wa2021univerge_wa1020_firmwareuniverge_wa2021_firmwareuniverge_wa2611e-apuniverge_wa2611e-ap_firmwareUNIVERGE DT
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.42%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a810r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25133
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-25136
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_firmwaret10t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-25077
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-51.03% / 97.88%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3100ra3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25081
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.42%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_v2t10_v2_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.42%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a800r_firmwarea800rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25137
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_firmwaret10t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-25064
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-63.10% / 98.41%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:38
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25084
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-84.25% / 99.32%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t6t6_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25131
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_firmwaret10t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-11488
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 59.79%
||
7 Day CHG+0.05%
Published-08 Oct, 2025 | 18:02
Updated-08 Oct, 2025 | 19:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-852 HNAP1 command injection

A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-D-Link Corporation
Product-DIR-852
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-19950
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.36% / 87.39%
||
7 Day CHG~0.00%
Published-02 Nov, 2020 | 15:57
Updated-17 Sep, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-music_stationqtsMusic Station
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25082
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-89.57% / 99.56%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a950rga950rg_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25075
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-42.09% / 97.46%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000ru_firmwarea3000run/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25263
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.01% / 2.10%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:59
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-teamcityn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25130
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_firmwaret10t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-25061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-86.03% / 99.40%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:39
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25132
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 89.13%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 23:09
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_firmwaret10t6t6_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-24167
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.33% / 88.96%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:33
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetDMZ. This vulnerability allows attackers to execute arbitrary commands via the dmzHost1 parameter.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g1_firmwareg1g3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-17228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.05% / 83.95%
||
7 Day CHG~0.00%
Published-19 Sep, 2018 | 21:00
Updated-16 Sep, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call.

Action-Not Available
Vendor-nmap4j_projectn/a
Product-nmap4jn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.14% / 92.71%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:33
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function mDMZSetCfg. This vulnerability allows attackers to execute arbitrary commands via the dmzIp parameter.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ax3ax3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-23389
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.93% / 88.38%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 20:48
Updated-03 Aug, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter.

Action-Not Available
Vendor-publiccmsn/a
Product-publiccmsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24065
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.1||HIGH
EPSS-2.22% / 84.60%
||
7 Day CHG+0.45%
Published-03 Jun, 2022 | 20:00
Updated-17 Sep, 2024 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Action-Not Available
Vendor-cookiecutter_projectn/aFedora Project
Product-cookiecutterfedoracookiecutter
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24168
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.33% / 88.96%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:32
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpGroup. This vulnerability allows attackers to execute arbitrary commands via the IPGroupStartIP and IPGroupEndIP parameters.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g1_firmwareg1g3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-11045
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 62.72%
||
7 Day CHG-0.03%
Published-26 Sep, 2025 | 20:32
Updated-29 Sep, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAYOS LQ_04/LQ_05/LQ_06/LQ_07/LQ_09 usb_paswd.asp command injection

A vulnerability was identified in WAYOS LQ_04, LQ_05, LQ_06, LQ_07 and LQ_09 22.03.17. This affects an unknown function of the file /usb_paswd.asp. The manipulation of the argument Name leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

Action-Not Available
Vendor-WAYOS
Product-LQ_04LQ_05LQ_07LQ_06LQ_09
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-23900
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.85% / 90.59%
||
7 Day CHG~0.00%
Published-07 Apr, 2022 | 10:19
Updated-03 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the API of the Wavlink WL-WN531P3 router, version M31G3.V5030.201204, allows an attacker to achieve unauthorized remote code execution via a malicious POST request through /cgi-bin/adm.cgi.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn531p3_firmwarewl-wn531p3n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-1999-0039
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-20.73% / 95.63%
||
7 Day CHG~0.00%
Published-29 Sep, 1999 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.

Action-Not Available
Vendor-n/aSilicon Graphics, Inc.
Product-irixn/airix
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-24150
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.14% / 92.71%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:33
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function formSetSafeWanWebMan. This vulnerability allows attackers to execute arbitrary commands via the remoteIp parameter.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-ax3ax3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-11229
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.66% / 87.94%
||
7 Day CHG~0.00%
Published-08 Jun, 2018 | 01:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via command injection in Crestron Toolbox Protocol (CTP).

Action-Not Available
Vendor-n/aCrestron Electronics, Inc.
Product-dmc-strtsw-760tsw-1060-nctsw-760-nctsw-560tsw-1060tsw-560-nccrestron_toolbox_protocol_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11143
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.32% / 95.40%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24170
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-15.55% / 94.71%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:32
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpSecTunnel. This vulnerability allows attackers to execute arbitrary commands via the IPsecLocalNet and IPsecRemoteNet parameters.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g1_firmwareg1g3_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-10359
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.61% / 69.96%
||
7 Day CHG+0.35%
Published-13 Sep, 2025 | 13:02
Updated-02 Oct, 2025 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wavlink WL-WN578W2 wireless.cgi sub_404DBC os command injection

A vulnerability was detected in Wavlink WL-WN578W2 221110. This impacts the function sub_404DBC of the file /cgi-bin/wireless.cgi. The manipulation of the argument macAddr results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn578w2_firmwarewl-wn578w2WL-WN578W2
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.06% / 86.79%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 15:46
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors.

Action-Not Available
Vendor-clouderan/a
Product-data_science_workbenchn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-1000885
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-24.22% / 96.11%
||
7 Day CHG~0.00%
Published-20 Dec, 2018 | 20:00
Updated-16 Sep, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function pgp_exec() phkp.php:98 that can result in It is possible to manipulate gpg-keys or execute commands remotely. This attack appear to be exploitable via HKP-Api: /pks/lookup?search.

Action-Not Available
Vendor-phkp_projectn/a
Product-phkpn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10323
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.54% / 67.71%
||
7 Day CHG~0.00%
Published-12 Sep, 2025 | 19:02
Updated-02 Oct, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wavlink WL-WN578W2 wizard_rep.shtml sub_409184 command injection

A vulnerability was found in Wavlink WL-WN578W2 221110. The impacted element is the function sub_409184 of the file /wizard_rep.shtml. The manipulation of the argument sel_EncrypTyp results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn578w2_firmwarewl-wn578w2WL-WN578W2
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-10324
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.54% / 67.71%
||
7 Day CHG~0.00%
Published-12 Sep, 2025 | 19:32
Updated-02 Oct, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wavlink WL-WN578W2 firewall.cgi sub_401C5C command injection

A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects the function sub_401C5C of the file firewall.cgi. This manipulation of the argument pingFrmWANFilterEnabled/blockSynFloodEnabled/blockPortScanEnabled/remoteManagementEnabled causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn578w2_firmwarewl-wn578w2WL-WN578W2
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-9916
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-83.57% / 99.29%
||
7 Day CHG~0.00%
Published-13 Oct, 2024 | 19:00
Updated-16 Oct, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HuangDou UTCMS cli.php os command injection

A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-usualtoolHuangDouhuangdou
Product-usualtoolcmsUTCMSutcms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-0729
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.54% / 87.73%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 16:33
Updated-05 Aug, 2024 | 03:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This command injection vulnerability in Music Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating Music Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-music_stationqtsQNAP NAS devices
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-0718
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-5.73% / 90.48%
||
7 Day CHG~0.00%
Published-14 Sep, 2018 | 13:00
Updated-16 Sep, 2024 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection vulnerability in Music Station 5.1.2 and earlier versions in QNAP QTS 4.3.3 and 4.3.4 could allow remote attackers to run arbitrary commands in the compromised application.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-music_stationqtsMusic Station
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-22273
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 75.18%
||
7 Day CHG~0.00%
Published-17 Mar, 2022 | 01:40
Updated-03 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions

Action-Not Available
Vendor-SonicWall Inc.
Product-sma_410_firmwaresra_4600sma_210sma_410sra_1200sma_500v_firmwaresma_500vsra_4200_firmwaresma_200_firmwaresra_4600_firmwaresma_200sma_400sra_1600_firmwaresra_1200_firmwaresma_400_firmwaresra_4200sra_1600sma_210_firmwareSonicWall SRA/SMA100srasma_100
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-24193
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.34% / 95.40%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 12:48
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.

Action-Not Available
Vendor-icewhalen/a
Product-casaosn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2017-9736
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.14% / 88.70%
||
7 Day CHG~0.00%
Published-17 Jun, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Action-Not Available
Vendor-spipn/a
Product-spipn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4059
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-2.08% / 84.06%
||
7 Day CHG~0.00%
Published-18 Jun, 2020 | 19:25
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection in mversion

In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in npm. As a workaround, make sure to escape git commit messages when using the commitMessage option for the update function.

Action-Not Available
Vendor-mversion_projectmikaelbr
Product-mversionmversion
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-5282
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.2||HIGH
EPSS-0.32% / 54.63%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 18:15
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
arbitrary shell execution in Nick Chan Bot

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta

Action-Not Available
Vendor-nick_chan_bot_projectNick Chan
Product-nick_chan_botnickchanbot
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-33314
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.1||CRITICAL
EPSS-0.91% / 75.98%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 19:05
Updated-15 Apr, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_sdk_file/` API is affected by command injection vulnerability.

Action-Not Available
Vendor-robustelRobustel
Product-r1510_firmwarer1510R1510
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 13
  • 14
  • Next
Details not found