Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9405

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-24 May, 2026 | 23:15
Updated At-26 May, 2026 | 16:10
Rejected At-
Credits

Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:24 May, 2026 | 23:15
Updated At:26 May, 2026 | 16:10
Rejected At:
▼CVE Numbering Authority (CNA)
Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

Affected Products
Vendor
TOTOLINKTotolink
Product
A8000RU
CPEs
  • cpe:2.3:o:totolink:a8000ru_firmware:*:*:*:*:*:*:*:*
Modules
  • Web Management Interface
Versions
Affected
  • 7.1cu.643_b20200521
Problem Types
TypeCWE IDDescription
CWECWE-78OS Command Injection
CWECWE-77Command Injection
Type: CWE
CWE ID: CWE-78
Description: OS Command Injection
Type: CWE
CWE ID: CWE-77
Description: Command Injection
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
2.010.0N/A
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Version: 2.0
Base score: 10.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
LtzHuster (VulDB User)
Timeline
EventDate
Advisory disclosed2026-05-24 00:00:00
VulDB entry created2026-05-24 02:00:00
VulDB entry last update2026-05-24 08:32:39
Event: Advisory disclosed
Date: 2026-05-24 00:00:00
Event: VulDB entry created
Date: 2026-05-24 02:00:00
Event: VulDB entry last update
Date: 2026-05-24 08:32:39
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/365386
vdb-entry
technical-description
https://vuldb.com/vuln/365386/cti
signature
permissions-required
https://vuldb.com/submit/813440
third-party-advisory
https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_337/README.md
exploit
https://www.totolink.net/
product
Hyperlink: https://vuldb.com/vuln/365386
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/365386/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/813440
Resource:
third-party-advisory
Hyperlink: https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_337/README.md
Resource:
exploit
Hyperlink: https://www.totolink.net/
Resource:
product
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:25 May, 2026 | 00:16
Updated At:26 May, 2026 | 18:59

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.9HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Secondary
Version: 4.0
Base score: 8.9
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-77Primarycna@vuldb.com
CWE-78Primarycna@vuldb.com
CWE ID: CWE-77
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-78
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_337/README.mdcna@vuldb.com
N/A
https://vuldb.com/submit/813440cna@vuldb.com
N/A
https://vuldb.com/vuln/365386cna@vuldb.com
N/A
https://vuldb.com/vuln/365386/cticna@vuldb.com
N/A
https://www.totolink.net/cna@vuldb.com
N/A
Hyperlink: https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_337/README.md
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/813440
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365386
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365386/cti
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://www.totolink.net/
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2659Records found
CVE-2023-39834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.94% / 76.50%
||
7 Day CHG~0.00%
Published-24 Aug, 2023 | 00:00
Updated-03 Oct, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PbootCMS below v3.2.0 was discovered to contain a command injection vulnerability via create_function.

Action-Not Available
Vendor-pbootcmsn/a
Product-pbootcmsn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-39637
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.96% / 76.66%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 00:00
Updated-26 Sep, 2024 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-816 A2 1.10 B05 was discovered to contain a command injection vulnerability via the component /goform/Diagnosis.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-816_firmwaredir-816n/adir-816_a2
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-37346
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-54.64% / 98.07%
||
7 Day CHG~0.00%
Published-13 Aug, 2021 | 11:30
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection).

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xi_watchguard_wizardn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-37344
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-57.02% / 98.17%
||
7 Day CHG~0.00%
Published-13 Aug, 2021 | 11:32
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection).

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xi_switch_wizardn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28912
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.26% / 93.26%
||
7 Day CHG-1.01%
Published-10 May, 2022 | 13:17
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUpgradeFW.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.26% / 93.26%
||
7 Day CHG-1.01%
Published-10 May, 2022 | 13:16
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n600r_firmwaren600rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8127
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.38% / 85.18%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 09:31
Updated-27 Aug, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request webfile_mgr.cgi cgi_unzip command injection

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-343_firmwarednr-202l_firmwaredns-320lw_firmwaredns-323_firmwaredns-320_firmwaredns-315l_firmwaredns-321_firmwaredns-320l_firmwarednr-322l_firmwaredns-325_firmwaredns-120_firmwaredns-326_firmwaredns-1550-04_firmwaredns-1200-05_firmwaredns-340l_firmwaredns-726-4_firmwaredns-345_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36380
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.64% / 99.85%
||
7 Day CHG~0.00%
Published-13 Aug, 2021 | 15:53
Updated-05 Nov, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-03-26||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.

Action-Not Available
Vendor-sunhillon/asunhilloSunhillo
Product-surelinen/asurelineSureLine
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36287
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.3||HIGH
EPSS-2.11% / 84.33%
||
7 Day CHG~0.00%
Published-08 Apr, 2022 | 19:50
Updated-16 Sep, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell VNX2 for file version 8.1.21.266 and earlier, contain an unauthenticated remote code execution vulnerability which may lead unauthenticated users to execute commands on the system.

Action-Not Available
Vendor-Dell Inc.
Product-vnxe1600vnx5600vnx5400vnx5800vnx_vg10emc_unity_operating_environmentvnx5200vnx_vg50vnx7600vnx8000VNX2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36706
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.08% / 94.20%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 13:19
Updated-04 Aug, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ProLink PRC2402M V1.0.18 and older, the set_sys_cmd function in the adm.cgi binary, accessible with a page parameter value of sysCMD contains a trivial command injection where the value of the command parameter is passed directly to system.

Action-Not Available
Vendor-prolinkn/a
Product-prc2402m_firmwareprc2402mn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-28582
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.71% / 95.38%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 17:44
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is found that there is a command injection vulnerability in the setWiFiSignalCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-6530
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.29% / 99.95%
||
7 Day CHG~0.00%
Published-06 Mar, 2018 | 20:00
Updated-07 Nov, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-29||The vendor D-Link published an advisory stating the fix under CVE-2018-20114 properly patches KEV entry CVE-2018-6530. If the device is still supported, apply updates per vendor instructions. If the affected device has since entered its end-of-life, it should be disconnected if still in use.

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-865ldir-880ldir-868l_firmwaredir-868ldir-860l_firmwaredir-880l_firmwaredir-860ldir-865l_firmwaren/aMultiple Routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-36953
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.36% / 87.49%
||
7 Day CHG~0.00%
Published-16 Oct, 2023 | 00:00
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CP300+ V5.2cu.7594_B20200910 and before is vulnerable to command injection.

Action-Not Available
Vendor-n/aTOTOLINK
Product-cp300\+cp300\+_firmwaren/acp300\+_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-38690
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.18% / 38.82%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 16:31
Updated-08 Oct, 2024 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
matrix-appservice-irc IRC command injection via admin commands containing newlines

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. One may disable dynamic channels in the config to disable the most common execution method but others may exist.

Action-Not Available
Vendor-The Matrix.org Foundation
Product-matrix_irc_bridgematrix-appservice-ircmatrix-appservice-irc
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2018-6342
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.79% / 74.14%
||
7 Day CHG~0.00%
Published-31 Dec, 2018 | 22:00
Updated-06 May, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Action-Not Available
Vendor-Microsoft CorporationFacebook
Product-react-dev-utilswindowsreact-dev-utils
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22836
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-38.20% / 97.29%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 00:00
Updated-20 Jun, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

Action-Not Available
Vendor-n/aAkaunting Inc.
Product-akauntingn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-35978
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.07% / 92.23%
||
7 Day CHG~0.00%
Published-10 Dec, 2021 | 12:18
Updated-04 Aug, 2024 | 00:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.

Action-Not Available
Vendor-digin/a
Product-transport_vc74transport_dr64transport_wr11_firmwaretransport_wr21transport_sr44transport_wr21_firmwaretransport_wr31transport_wr41transport_wr44transport_vc74_firmwaretransport_wr31_firmwaretransport_wr11_xttransport_wr11transport_dr64_firmwaretransport_wr41_firmwaretransport_sr44_firmwaretransport_wr11_xt_firmwaretransport_wr44_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-38941
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.83% / 91.45%
||
7 Day CHG~0.00%
Published-03 Aug, 2023 | 00:00
Updated-17 Oct, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

django-sspanel v2022.2.2 was discovered to contain a remote command execution (RCE) vulnerability via the component sspanel/admin_view.py -> GoodsCreateView._post.

Action-Not Available
Vendor-ehco1996n/a
Product-django-sspaneln/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-39293
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.75% / 73.31%
||
7 Day CHG~0.00%
Published-14 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.

Action-Not Available
Vendor-n/aMitel Networks Corp.
Product-mivoice_office_400mivoice_office_400_smb_controller_firmwaremivoice_office_400_smb_controllern/amivoice_office_400mivoice_office_400_smb_controller_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-3726
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.44% / 63.49%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 09:30
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in ohmyzsh/ohmyzsh

# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.

Action-Not Available
Vendor-planetargonohmyzsh
Product-oh_my_zshohmyzsh/ohmyzsh
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-42872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-11.41% / 93.67%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 23:15
Updated-04 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ex1200t_firmwareex1200tn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36260
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
CVSS Score-9.8||CRITICAL
EPSS-94.44% / 99.99%
||
7 Day CHG~0.00%
Published-22 Sep, 2021 | 12:07
Updated-10 Nov, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-01-24||Apply updates per vendor instructions.

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

Action-Not Available
Vendor-n/aHIKVISION
Product-ds-2dy92500x-a\(t5\)_firmwareds-2td1117-6\/pa_firmwareds-2cd2046g2-iu\/slds-2cd2123g2-iuds-2td8167-190ze2f\/wyds-2cd2143g2-iu_firmwareds-2td8166-180ze2f\/v2ds-2cd2743g2-izs_firmwareds-2df8236i5x-aelwptz-n4225i-de_firmwareds-2td1217b-3\/pads-2cd3156g2-is\(u\)_firmwareds-2df8a442ixs-ael\(t5\)_firmwareds-2cd3556g2-is_firmwareptz-n2404i-de3ds-2cd2686g2-izsu\/sl_firmwareds-2td6267-75c4l\/w_firmwareds-2cd2783g2-izs_firmwareds-2cd2066g2-iu\/slds-2cd3726g2-izsds-2df7225ix-aelw\(t3\)ds-2dy9236i8x-a\(t3\)_firmwareds-2td8167-190ze2f\/wy_firmwareds-7608ni-q2ds-2cd2121g1-idwds-2cd2786g2-izsds-2cd2147g2-l\(su\)ds-2df8442ixs-aelw\(t5\)ids-2vs435-f840-ey_firmwareds-2xe6242f-is\/316l\(b\)_firmwareds-2cd2346g2-isu\/slds-2cd2766g2-izs_firmwareds-2dyh2a0ixs-d\(t2\)_firmwareds-2td6267-100c4l\/wds-2td8167-230zg2f\/wyds-7616ni-q2_firmwareds-2cd2086g2-iu\/sl_firmwareds-2cd3056g2-is_firmwareds-2cd3143g2-i\(s\)u_firmwareds-2cd2047g2-l\(u\)ds-2cd2586g2-i\(s\)ds-7608ni-k1\/8pds-2cd2123g2-iu_firmwareds-2df8a442ixs-aely\(t5\)_firmwareds-2cd2366g2-isu\/slds-2cd2163g2-i\(s\)ds-2td8166-150ze2f\/v2_firmwareds-2cd3586g2-is_firmwareds-2td6237-50h4l\/w_firmwareds-2td4166t-9_firmwareids-2vs435-f840-ey\(t3\)_firmwareds-2cd3523g2-is_firmwareds-2cd2347g2-lsu\/sl_firmwareds-2cd2163g2-i\(s\)_firmwareds-2df8425ix-aelw\(t5\)_firmwareds-2td6266t-25h2l_firmwareds-2df8242ix-ael\(t5\)ds-2cd3056g2iu\/sl_firmwareds-2cd3743g2-izsds-2df6a825x-ael_firmwareds-2td8167-230zg2f\/w_firmwareds-2df8225ix-ael\(t3\)ds-2cd2086g2-i\(u\)_firmwareds-2cd2563g2-i\(s\)ds-2cd3126g2-isds-7616ni-q2\/16pds-2cd2686g2-izsds-2cd3356g2-isu\/slds-2df7225ix-ael\(t3\)ds-2cd2766g2-izsds-2td6237-50h4l\/wds-2df8a442ixs-aely\(t5\)ds-2td6267-50h4l\/w_firmwareds-2cd2121g0-i\(w\)\(s\)_firmwareds-2td8167-230zg2f\/wy_firmwareds-7104ni-q1\/4p\/mds-2td6237-75c4l\/wds-2df6a436x-aely\(t5\)_firmwareds-2td6236t-50h2lds-2cd3347g2-ls\(u\)ds-2df8436i5x-aelw\(t3\)ids-2sk718mxs-d_firmwareds-2cd2163g2-iuds-7608ni-k1ds-2cd2021g1-i\(w\)ds-7608ni-k1\/4gds-2cd2526g2-isds-2cd2087g2-l\(u\)_firmwareds-2cd2646g2-izsu\/slds-7604ni-k1_firmwareds-2cd2643g2-izs_firmwareds-2cd2366g2-i\(u\)ds-2cd3756g2-izs_firmwareds-2cd2663g2-izs_firmwareds-2cd2147g2-l\(su\)_firmwareds-2xe6422fwd-izhrs_firmwareds-2cd3626g2-izsds-2df6a825x-aelds-7104ni-q1\/4pds-7608ni-q2_firmwareds-2cd3626g2-izs_firmwareds-2cd3363g2-iu_firmwareds-2cd3523g2-isds-2cd2523g2-i\(u\)ds-7108ni-q1\/8p\/m_firmwareds-2cd2183g2-i\(s\)_firmwareds-7604ni-k1ds-2cd2186g2-i\(su\)_firmwareds-2cd2183g2-i\(s\)ds-2df8a442ixs-ael\(t5\)ds-2cd3726g2-izs_firmwareds-2dy9236i8x-a_firmwareds-2cd2343g2-i\(u\)ds-2cd3343g2-iu_firmwareds-7608ni-q1_firmwareds-2cd3343g2-iuds-2cd3126g2-is_firmwareds-2xe6452f-izh\(r\)s_firmwareptz-n4215i-deds-2cd2023g2-i\(u\)ds-2cd3686g2-izsds-7104ni-q1ds-2cd3086g2-isds-2cd3547g2-ls_firmwareds-2td8166-150zh2f\/v2ds-2td8167-230zg2f\/wds-2cd2386g2-i\(u\)_firmwareds-7104ni-q1\/4p_firmwareds-2cd2183g2-i\(u\)ds-2cd2066g2-iu\/sl_firmwareds-2td6266t-50h2lds-2cd2666g2-izs_firmwareds-2cd3123g2-i\(s\)u_firmwareds-2cd3123g2-i\(s\)uds-2df8a842ixs-ael\(t5\)ds-2cd2121g1-idw_firmwareds-2df8236i5x-aelw_firmwareds-2cd2546g2-i\(s\)_firmwareds-2cd3543g2-isds-2cd2566g2-i\(s\)ds-2dy9250izs-a\(t5\)_firmwareds-2cd2386g2-isu\/sl_firmwareds-2cd2763g2-izsds-2dy9240ix-a\(t5\)ds-2df8242i5x-aelw\(t3\)ids-2pt9a144mxs-d\/t2_firmwareds-7616ni-q1ds-2td6266t-25h2lds-2df8225ix-ael\(t5\)_firmwareds-2cd2027g2-l\(u\)_firmwareds-2cd3386g2-is_firmwareds-7616ni-q2\/16p_firmwareds-2df8242ix-aely\(t3\)ds-2cd2546g2-i\(s\)ds-2cd3026g2-isds-2cd3543g2-is_firmwareds-2cd2366g2-i\(u\)_firmwareds-7608ni-q2\/8pds-2cd2626g2-izsu\/sl_firmwareds-2cd2387g2-l\(u\)ds-2cd2021g1-i\(w\)_firmwareds-2td4167-50\/w_firmwareds-7108ni-q1\/8p\/mds-2cd3526g2-is_firmwareds-2cd3723g2-izs_firmwareds-2cd3326g2-isu\/slds-2cd2586g2-i\(s\)_firmwareds-2cd3023g2-iu_firmwareds-2cd2121g1-i\(w\)_firmwareds-2df6a225x-ael\)t3\)ds-2cd2321g0-i\/nfids-2vs435-f840-eyds-2cd3643g2-izsds-7608ni-q1ds-2cd2366g2-isu\/sl_firmwareds-2td8167-190ze2f\/wds-2td8166-100c2f\/v2_firmwareds-2td8167-150zc4f\/w_firmwareds-2cd3043g2-iu_firmwareds-2df8242ix-aelw\(t3\)_firmwareds-7604ni-q1_firmwareds-2df8225ix-aelw\(t3\)ds-2cd2666g2-izsds-2df6a836x-ael\(t5\)ds-2cd3723g2-izsds-2df8225ix-ael\(t5\)ds-2cd2646g2-izsu\/sl_firmwareds-2cd2543g2-i\(ws\)ds-2df8442ixs-ael\(t5\)_firmwareds-2df8425ix-ael\(t5\)ds-2td8167-190ze2f\/w_firmwareds-2td1217b-3\/pa_firmwareds-2cd2786g2-izs_firmwareds-2cd3623g2-izs_firmwareds-2cd3786g2-izs_firmwareds-2cd3056g2-iu\/sl_firmwareds-2cd2023g2-i\(u\)_firmwareds-2df8242i5x-ael\(t3\)_firmwareds-2xe6452f-izh\(r\)sds-2cd2186g2-i\(su\)ptz-n4215-de3_firmwareds-2td4167-25\/wds-2cd3563g2-is_firmwareds-7608ni-k1\/8p\/4g_firmwareds-2cd2621g0-i\(z\)\(s\)_firmwareds-2cd2723g2-izsds-2cd2523g2-i\(u\)_firmwareds-2df6a436x-ael\(t5\)ds-2df6a436x-ael\(t3\)_firmwareptz-n2204i-de3_firmwareds-2td1117-3\/pads-7108ni-q1\/mds-2cd3023g2-iuds-2df5225x-ae3\(t3\)ds-2cd2383g2-i\(u\)_firmwareds-2td4137-25\/wds-7604ni-q1\/4pds-2cd2526g2-is_firmwareds-2xe6242f-is\/316l\(b\)ds-2cd2623g2-izsds-2cd2183g2-iu_firmwareds-2df8225ix-aelw\(t3\)_firmwareds-2cd2683g2-izs_firmwareds-2cd2043g2-i\(u\)_firmwareds-2cd3126g2-is\(u\)ds-2cd3656g2-izs_firmwareds-2df8225ih-aelds-7608ni-k1\/4g_firmwareds-2df8a442ixs-ael\(t2\)_firmwareds-2df7232ix-ael\(t3\)_firmwareds-2df8425ix-ael\(t3\)_firmwareds-2td4167-50\/wds-2cd2583g2-i\(s\)_firmwareds-2df8242i5x-aelw\(t3\)_firmwareds-2cd2383g2-i\(u\)ds-2df5225x-ael\(t3\)ds-2df8242ix-aelw\(t3\)ds-2xe6422fwd-izhrsds-2df8242i5x-ael\(t3\)ds-2td6267-75c4l\/wds-2cd2166g2-i\(su\)_firmwareds-2df8a842ixs-ael\(t5\)_firmwareids-2sk8144ixs-d\/j_firmwareds-2cd3356g2-isds-760ni-k1\/4p_firmwareds-2cd3586g2-isds-2cd2127g2-\(-su\)_firmwareds-2cd2363g2-i\(u\)_firmwareds-2cd3086g2-is_firmwareds-2cd2166g2-i\(su\)ds-2cd2347g2-l\(u\)ds-2cd3547g2-lsds-7108ni-q1_firmwareds-7108ni-q1ds-2cd3563g2-isds-2xe6482f-izhrs_firmwareds-2cd2527g2-ls_firmwareptz-n4215-de3ds-2df8442ixs-aelw\(t2\)_firmwareds-2td8166-150zh2f\/v2_firmwareds-2cd3623g2-izsds-2cd2743g2-izsds-2cd2563g2-i\(s\)_firmwareds-2td4167-25\/w_firmwareds-2cd2063g2-i\(u\)ds-2cd3763g2-izsds-2td1217b-6\/pads-2cd2323g2-i\(u\)_firmwareptz-n4225i-deds-2cd2327g2-l\(u\)_firmwareds-2cd2721g0-i\(z\)\(s\)_firmwareds-2cd2121g0-i\(w\)\(s\)ds-7604ni-q1\/4p_firmwareds-2cd3663g2-izsds-2df8442ixs-aely\(t5\)_firmwareds-2cd2526g2-i\(s\)ds-2dy92500x-a\(t5\)ds-2td6266t-50h2l_firmwareds-2td8166-75c2f\/v2ds-7604ni-k1\/4p\/4gds-2cd2683g2-izsds-2td6237-75c4l\/w_firmwareds-2cd3786g2-izsds-2cd2723g2-izs_firmwareds-7104ni-q1\/mds-2cd2086g2-i\(u\)ds-2cd3643g2-izs_firmwareds-2dy9240ix-a\(t5\)_firmwareds-2cd2123g2-i\(s\)ds-2cd3386g2-is\(u\)ds-2cd2446g2-ids-2cd2363g2-i\(u\)ds-2cd3386g2-is\(u\)_firmwareds-2cd3663g2-izs_firmwareds-2cd2621g0-i\(z\)\(s\)ds-2cd2583g2-i\(s\)ds-2td1117-3\/pa_firmwareds-2cd2686g2-izsu\/slds-2cd2047g2-l\(u\)_firmwareds-7608ni-k1_firmwareds-2df7225ix-aelw\(t3\)_firmwareds-2df6a436x-ael\(t5\)_firmwareds-2cd2426g2-ids-2dy9236i8x-ads-2cd2043g2-i\(u\)ds-2df6a836x-ael\(t5\)_firmwareds-2df8436i5x-aelw\(t3\)_firmwareds-2df5232x-ael\(t3\)_firmwareds-2cd2446g2-i_firmwareds-2df7232ix-aelw\(t3\)ds-2cd2027g2-l\(u\)ds-2cd3056g2-iu\/slds-2cd3347g2-ls\(u\)_firmwareds-7608ni-q1\/8p_firmwareds-2df8225ix-ael\(t3\)_firmwareptz-n4215i-de_firmwareds-2cd2566g2-i\(s\)_firmwareds-2cd3043g2-iuds-2cd3323g2-iu_firmwareds-2df8442ixs-aely\(t5\)ds-2df8a442nxs-ael\(t5\)_firmwareds-2df5232x-ael\(t3\)ds-2cd2063g2-i\(u\)_firmwareds-2df7225ix-ael\(t3\)_firmwareds-7616ni-k1_firmwareds-2cd2386g2-i\(u\)ptz-n5225i-ads-2df8442ixs-aelwy\(t5\)ds-2df6a236x-ael\(t3\)_firmwareds-2dy9250izs-a\(t5\)ds-2cd3323g2-iuds-2df8425ix-ael\(t3\)ds-2cd3026g2-iu\/slds-2cd2127g2-\(-su\)ds-2cd2027g2-lu\/sl_firmwareds-2df5225x-ae3\(t3\)_firmwareds-2df8442ixs-aelw\(t2\)ds-7616ni-k1ds-2cd3156g2-isds-2cd2143g2-i\(s\)ds-2cd3126g2-is\(u\)_firmwareds-2df8225ih-ael\(w\)ds-7616ni-q2ds-2cd2421g0-i\(d\)\(w\)ds-2cd2421g0-i\(d\)w_firmwareds-2cd2086g2-iu\/slds-2df8a442ixs-ael\(t2\)ds-7608ni-q2\/8p_firmwareds-2df5232x-ae3\)t3\)ds-2df6a436x-ael\(t3\)ds-2td6236t-50h2l_firmwareds-2cd3163g2-i\(s\)u_firmwareds-2td8166-180ze2f\/v2_firmwareds-2df6a425x-ael\(t3\)_firmwareds-2df8242i5x-aelw\(t5\)_firmwareds-2cd3047g2-ls_firmwareds-2cd3526g2-isds-2cd2527g2-lsds-2cd2323g2-i\(u\)ds-2cd3026g2-iu\/sl_firmwareds-2df8225ix-aelw\(t5\)_firmwareds-2cd3686g2-izs_firmwareds-2df7232ix-aelw\(t3\)_firmwareds-2df8225ix-aelw\(t5\)ds-2td6267-75c4l\/wyds-2cd2547g2-lzs_firmwareds-2cd2547g2-lzsds-2cd2066g2-i\(u\)_firmwareds-2cd2523g2-i\(s\)ds-7108ni-q1\/8pds-2cd2321g0-i\/nf_firmwareds-2td4137-50\/w_firmwareds-2dyh2a0ixs-d\(t2\)ds-2td8166-75c2f\/v2_firmwareds-2cd2643g2-izsds-2cd3656g2-izsds-7104ni-q1_firmwareds-2df8242ix-aely\(t3\)_firmwareds-2cd2626g2-izsu\/slds-2dy9236ix-a\(t3\)_firmwareds-7104ni-q1\/m_firmwareds-2cd2421g0-i\(d\)wds-2cd2543g2-i\(ws\)_firmwareds-2td4166t-9ds-2dy9236x-a\(t3\)_firmwareds-2df5232x-ae3\)t3\)_firmwareds-2cd3186g2-is\(u\)ds-2cd3047g2-lsds-2df8242i5x-aelw\(t5\)ds-2td8167-150zc4f\/wds-2cd2426g2-i_firmwareds-7608ni-k1\/8p_firmwareds-2td6267-75c4l\/wy_firmwareds-2cd2526g2-i\(s\)_firmwareds-2cd3356g2-is\(u\)_firmwareds-2td4136t-9_firmwareds-2df6a236x-ael\(t3\)ds-2td1117-2\/pa_firmwareds-2cd2186g2-isuds-2df8425ix-ael\(t5\)_firmwareds-2df8442ixs-ael\(t5\)ds-2cd2343g2-i\(u\)_firmwareds-2td6267-100c4l\/wy_firmwareds-2td6267-100c4l\/w_firmwareds-2cd2123g2-i\(s\)_firmwareds-2dy9236ix-a\(t3\)ids-2sk8144ixs-d\/jds-2td6267-100c4l\/wyds-2cd3763g2-izs_firmwareds-2cd3356g2-is\(u\)ds-2cd2026g2-iu\/sl_firmwareds-2cd2547g2-lsds-2cd3756g2-izsds-2cd2523g2-i\(s\)_firmwareds-2cd2143g2-i\(s\)_firmwareds-2dy9236i8x-a\(t3\)ds-2cd3186g2-is\(u\)_firmwareds-2td1117-2\/pads-2cd2666g2-izsu\/sl_firmwareds-2cd2121g1-i\(w\)ds-2cd2186g2-isu_firmwareds-2cd3156g2-is_firmwareids-2vs435-f840-ey\(t3\)ds-7108ni-q1\/m_firmwareds-2cd3326g2-isu\/sl_firmwareds-2cd3163g2-i\(s\)uds-7108ni-q1\/8p_firmwareds-7608ni-k1\/8p\/4gds-2cd2083g2-i\(u\)ds-2cd3363g2-iuds-2df8a442nxs-ael\(t5\)ds-2cd2783g2-izsds-2cd3056g2-isptz-n5225i-a_firmwareds-2cd2387g2-l\(u\)_firmwareids-2pt9a144mxs-d\/t2ds-2df8442ixs-aelwy\(t5\)_firmwareds-2df8a442ixs-af\/sp\(t5\)_firmwareds-2cd3063g2-iuds-2cd2163g2-iu_firmwareds-2cd2326g2-isu\/sl_firmwareds-2cd3386g2-isds-2cd2087g2-l\(u\)ds-2cd2183g2-iuds-2cd2083g2-i\(u\)_firmwareds-2cd2346g2-isu\/sl_firmwareds-2df6a225x-ael\)t3\)_firmwareds-2cd2421g0-i\(d\)\(w\)_firmwareds-2cd2066g2-i\(u\)ds-2df8225ih-ael\(w\)_firmwareds-2df8242ix-ael\(t5\)_firmwareds-7616ni-q1_firmwareds-2cd2027g2-lu\/slds-2cd2347g2-l\(u\)_firmwareds-2xe6442f-izhrs\(b\)ds-2cd2183g2-i\(u\)_firmwareds-2df6a425x-ael\(t3\)ds-2cd2121g1_firmwareds-7604ni-q1ds-2cd3063g2-iu_firmwareptz-n2404i-de3_firmwareds-2df7232ix-ael\(t3\)ds-2xe6442f-izhrs\(b\)_firmwareds-2df6a436x-aely\(t5\)ds-2cd3356g2-is_firmwareds-2cd2327g2-l\(u\)ds-2cd3743g2-izs_firmwareds-760ni-k1\/4pds-2df8250i8x-ael\(t3\)ds-2df8425ix-aelw\(t5\)ds-2cd3056g2iu\/slds-2cd2386g2-isu\/slds-2xe6482f-izhrsds-2dy9236x-a\(t3\)ds-2df8250i8x-ael\(t3\)_firmwareds-2df5225x-ael\(t3\)_firmwareds-2cd2046g2-iu\/sl_firmwareds-2df8442ixs-aelw\(t5\)_firmwareds-2cd2666g2-izsu\/slds-2cd2763g2-izs_firmwareds-2cd2026g2-iu\/slds-2cd2121g1ds-2cd3143g2-i\(s\)uds-2cd3556g2-isds-2td1217b-6\/pa_firmwareds-2cd2143g2-iuds-2cd2326g2-isu\/slds-2cd2663g2-izsds-2cd3026g2-is_firmwareds-2cd2547g2-ls_firmwareds-2td1117-6\/pads-7604ni-k1\/4p\/4g_firmwareds-7104ni-q1\/4p\/m_firmwareds-2td4136t-9ds-2cd2347g2-lsu\/slds-2cd2623g2-izs_firmwareds-2td8166-150ze2f\/v2ptz-n2204i-de3ds-2td4137-25\/w_firmwareds-2td4137-50\/wds-7608ni-q1\/8pds-2cd2686g2-izs_firmwareds-2td6267-50h4l\/wds-2cd3356g2-isu\/sl_firmwareds-2df8425ix-aelw\(t3\)_firmwareds-2cd3156g2-is\(u\)ds-2cd2721g0-i\(z\)\(s\)ds-2df8225ih-ael_firmwareds-2df8425ix-aelw\(t3\)ds-2td8166-100c2f\/v2ds-2df8a442ixs-af\/sp\(t5\)ids-2sk718mxs-dn/aSecurity cameras web server
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36707
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.08% / 94.20%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 13:19
Updated-04 Aug, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ProLink PRC2402M V1.0.18 and older, the set_ledonoff function in the adm.cgi binary, accessible with a page parameter value of ledonoff contains a trivial command injection where the value of the led_cmd parameter is passed directly to do_system.

Action-Not Available
Vendor-prolinkn/a
Product-prc2402m_firmwareprc2402mn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-6444
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-9.8||CRITICAL
EPSS-2.15% / 84.47%
||
7 Day CHG~0.00%
Published-22 Jan, 2019 | 17:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Vulnerability in Brocade Network Advisor versions before 14.1.0 could allow a remote unauthenticated attacker to execute arbitray code. The vulnerability could also be exploited to execute arbitrary OS Commands.

Action-Not Available
Vendor-NetApp, Inc.Brocade Communications Systems, Inc. (Broadcom Inc.)
Product-network_advisorbrocade_network_advisorBrocade Network Advisor
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-39001
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.45% / 90.28%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 00:00
Updated-10 Oct, 2024 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.

Action-Not Available
Vendor-opnsensen/a
Product-opnsensen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-38692
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 72.55%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 17:22
Updated-10 Oct, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection vulnerability in module management function in CloudExplorer Lite

CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.

Action-Not Available
Vendor-FIT2CLOUD Inc.CloudExplorer Lite (FIT2CLOUD Inc.)
Product-cloudexplorer_liteCloudExplorer-Litecloudexplorer_lite
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-36705
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.08% / 94.20%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 13:19
Updated-04 Aug, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ProLink PRC2402M V1.0.18 and older, the set_TR069 function in the adm.cgi binary, accessible with a page parameter value of TR069 contains a trivial command injection where the value of the TR069_local_port parameter is passed directly to system.

Action-Not Available
Vendor-prolinkn/a
Product-prc2402m_firmwareprc2402mn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38864
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.16% / 36.65%
||
7 Day CHG~0.00%
Published-15 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 13:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt.

Action-Not Available
Vendor-comfastn/acomfast
Product-cf-xr11cf-xr11_firmwaren/acf-xr11
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-3727
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-1.36% / 80.39%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 09:30
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in ohmyzsh/ohmyzsh

# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

Action-Not Available
Vendor-planetargonohmyzsh
Product-oh_my_zshohmyzsh/ohmyzsh
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2001-1583
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-49.28% / 97.83%
||
7 Day CHG~0.00%
Published-23 Sep, 2007 | 23:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.

Action-Not Available
Vendor-n/aSun Microsystems (Oracle Corporation)
Product-sunosn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38865
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.09% / 78.15%
||
7 Day CHG~0.00%
Published-15 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_4143F0. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter timestr.

Action-Not Available
Vendor-comfastn/acomfast
Product-cf-xr11cf-xr11_firmwaren/acf-xr11
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-39008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.14% / 89.97%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 00:00
Updated-10 Oct, 2024 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.

Action-Not Available
Vendor-opnsensen/a
Product-opnsensen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-35394
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.22% / 99.93%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 11:07
Updated-07 Nov, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-12-24||Apply updates per vendor instructions.

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

Action-Not Available
Vendor-n/aRealtek Semiconductor Corp.
Product-rtl819x_jungle_software_development_kitn/aJungle Software Development Kit (SDK)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38863
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.16% / 36.65%
||
7 Day CHG~0.00%
Published-15 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the ifname and mac parameters in the sub_410074 function at bin/webmgnt.

Action-Not Available
Vendor-comfastn/acomfast
Product-cf-xr11cf-xr11_firmwaren/acf-xr11
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-10326
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.86% / 75.26%
||
7 Day CHG~0.00%
Published-12 Sep, 2025 | 20:32
Updated-02 Oct, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MiczFlor RPi-Jukebox-RFID single.php os command injection

A security flaw has been discovered in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected is an unknown function of the file /htdocs/api/playlist/single.php. Performing manipulation of the argument playlist results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-sourcefabricMiczFlor
Product-rpi-jukebox-rfidRPi-Jukebox-RFID
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8134
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.56% / 81.68%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 20:00
Updated-27 Aug, 2024 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-37292
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.33% / 55.60%
||
7 Day CHG~0.00%
Published-21 Jul, 2023 | 04:08
Updated-24 Oct, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HGiga iSherlock - Command Injection

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in HGiga iSherlock 4.5 (iSherlock-user modules), HGiga iSherlock 5.5 (iSherlock-user modules) allows OS Command Injection.This issue affects iSherlock 4.5: before iSherlock-user-4.5-174; iSherlock 5.5: before iSherlock-user-5.5-174.

Action-Not Available
Vendor-hgigaHGigahgiga
Product-isherlockiSherlock 4.5iSherlock 5.5isherlock
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-37679
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.44% / 99.83%
||
7 Day CHG~0.00%
Published-03 Aug, 2023 | 00:00
Updated-02 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

Action-Not Available
Vendor-nextgenn/a
Product-mirth_connectn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-1608
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.81% / 74.35%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 00:31
Updated-04 Nov, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LB-LINK AC1900 Router set_manpwd websGetVar os command injection

A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Affected is the function websGetVar of the file /goform/set_manpwd. The manipulation of the argument routepwd  leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-lb-linkLB-LINK
Product-ac1900_firmwareac1900AC1900 Router
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-3767
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-9.8||CRITICAL
EPSS-0.79% / 74.02%
||
7 Day CHG~0.00%
Published-26 Sep, 2023 | 07:51
Updated-24 Sep, 2024 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection on EasyPHP Webserver

An OS command injection vulnerability has been found on EasyPHP Webserver affecting version 14.1. This vulnerability could allow an attacker to get full access to the system by sending a specially crafted exploit to the /index.php?zone=settings parameter.

Action-Not Available
Vendor-easyphpEasyPHP
Product-webserverWebserver
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38025
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.82% / 74.56%
||
7 Day CHG-0.04%
Published-28 Aug, 2023 | 03:21
Updated-02 Oct, 2024 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpotCam Co., Ltd. SpotCamFHD - Command Injection -1

SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to arbitrary system commands or disrupt service.

Action-Not Available
Vendor-myspotcamSPOTCAM CO., LTD.spotcam_co_ltd
Product-fhd_2fhd_2_firmwareSpotCam FHD 2spotcam_fhd2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-8752
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.63% / 70.47%
||
7 Day CHG+0.06%
Published-09 Aug, 2025 | 12:02
Updated-16 Sep, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wangzhixuan spring-shiro-training add command injection

A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Action-Not Available
Vendor-xuanshaowangzhixuan
Product-spring-shiro-trainingspring-shiro-training
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-34079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.24% / 93.25%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 14:31
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml file.

Action-Not Available
Vendor-docker-tester_projectn/a
Product-docker-testern/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34351
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.54% / 81.59%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 00:45
Updated-16 Sep, 2024 | 22:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-34348
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.90% / 75.85%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 00:45
Updated-16 Sep, 2024 | 22:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-33055
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.78% / 95.83%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:12
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.Microsoft Corporation
Product-manageengine_adselfservice_pluswindowsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38027
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.82% / 74.56%
||
7 Day CHG-0.04%
Published-28 Aug, 2023 | 03:37
Updated-14 Oct, 2024 | 04:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpotCam Co., Ltd. SpotCam Sense - Command Injection

SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system commands or disrupt service.

Action-Not Available
Vendor-myspotcamSPOTCAM CO., LTD.spotcam_co_ltd
Product-sense_firmwaresenseSpotCam Sensespotcam_sense
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-33963
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.99% / 88.56%
||
7 Day CHG~0.00%
Published-15 Jan, 2022 | 09:16
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.

Action-Not Available
Vendor-chinamobilen/a
Product-an_lianbao_wf-1an_lianbao_wf-1_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-33357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.81% / 99.77%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 17:51
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.

Action-Not Available
Vendor-raspapn/a
Product-raspapn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38319
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.64%
||
7 Day CHG~0.00%
Published-26 Jan, 2024 | 00:00
Updated-20 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the FAS key entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.

Action-Not Available
Vendor-openndsn/a
Product-openndsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • ...
  • 19
  • 20
  • 21
  • ...
  • 53
  • 54
  • Next
Details not found