Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9565

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-26 May, 2026 | 16:45
Updated At-26 May, 2026 | 16:45
Rejected At-
Credits

haojing8312 WorkClaw Blacklist bash.rs is_dangerous os command injection

A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:26 May, 2026 | 16:45
Updated At:26 May, 2026 | 16:45
Rejected At:
â–¼CVE Numbering Authority (CNA)
haojing8312 WorkClaw Blacklist bash.rs is_dangerous os command injection

A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Affected Products
Vendor
haojing8312
Product
WorkClaw
CPEs
  • cpe:2.3:a:haojing8312:workclaw:*:*:*:*:*:*:*:*
Modules
  • Blacklist Handler
Versions
Affected
  • 0.6.0
  • 0.6.1
  • 0.6.2
  • 0.6.3
  • 0.6.4
Problem Types
TypeCWE IDDescription
CWECWE-78OS Command Injection
CWECWE-77Command Injection
Type: CWE
CWE ID: CWE-78
Description: OS Command Injection
Type: CWE
CWE ID: CWE-77
Description: Command Injection
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.06.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.06.5N/A
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 6.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
ybdesire (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-05-26 00:00:00
VulDB entry created2026-05-26 02:00:00
VulDB entry last update2026-05-26 12:44:11
Event: Advisory disclosed
Date: 2026-05-26 00:00:00
Event: VulDB entry created
Date: 2026-05-26 02:00:00
Event: VulDB entry last update
Date: 2026-05-26 12:44:11
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/365627
vdb-entry
technical-description
https://vuldb.com/vuln/365627/cti
signature
permissions-required
https://vuldb.com/submit/815713
third-party-advisory
https://github.com/haojing8312/WorkClaw/issues/4
exploit
issue-tracking
https://github.com/haojing8312/WorkClaw/
product
Hyperlink: https://vuldb.com/vuln/365627
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/365627/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/815713
Resource:
third-party-advisory
Hyperlink: https://github.com/haojing8312/WorkClaw/issues/4
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/haojing8312/WorkClaw/
Resource:
product
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:26 May, 2026 | 17:16
Updated At:26 May, 2026 | 17:16

A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Secondary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-77Primarycna@vuldb.com
CWE-78Primarycna@vuldb.com
CWE ID: CWE-77
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-78
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/haojing8312/WorkClaw/cna@vuldb.com
N/A
https://github.com/haojing8312/WorkClaw/issues/4cna@vuldb.com
N/A
https://vuldb.com/submit/815713cna@vuldb.com
N/A
https://vuldb.com/vuln/365627cna@vuldb.com
N/A
https://vuldb.com/vuln/365627/cticna@vuldb.com
N/A
Hyperlink: https://github.com/haojing8312/WorkClaw/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/haojing8312/WorkClaw/issues/4
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/815713
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365627
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/365627/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

905Records found
CVE-2018-11175
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11149
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11177
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 35 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11156
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 6 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11183
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 41 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-6.77% / 91.41%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11173
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 31 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11165
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 23 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 18 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11169
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11186
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 44 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11176
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11174
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11172
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 30 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11153
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 11 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11179
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 37 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11162
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 20 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11150
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11184
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-6.77% / 91.41%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5836
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-6.30% / 91.05%
||
7 Day CHG~0.00%
Published-07 Jun, 2025 | 13:31
Updated-09 Jun, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC9 POST Request SetIPTVCfg formSetIptv command injection

A vulnerability was found in Tenda AC9 15.03.02.13. It has been rated as critical. This issue affects the function formSetIptv of the file /goform/SetIPTVCfg of the component POST Request Handler. The manipulation of the argument list leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac9_firmwareac9AC9
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-11159
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 17 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11185
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11168
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 26 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11145
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 3 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11147
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11167
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 25 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11187
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 45 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11188
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 46 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-11144
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-7.27% / 91.74%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 08:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46).

Action-Not Available
Vendor-n/aQuest Software, Inc.
Product-disk_backupn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-2548
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.51% / 81.43%
||
7 Day CHG~0.00%
Published-16 Feb, 2026 | 09:02
Updated-23 Feb, 2026 | 10:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WAYOS FBM-220G rc sub_40F820 command injection

A flaw has been found in WAYOS FBM-220G 24.10.19. This affects the function sub_40F820 of the file rc. Executing a manipulation of the argument upnp_waniface/upnp_ssdp_interval/upnp_max_age can lead to command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-WAYOS
Product-FBM-220G
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5504
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-4.40% / 89.12%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 14:31
Updated-04 Jun, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK X2000R formWsc command injection

A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. The manipulation of the argument peerRptPin leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-X2000R
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5606
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.12% / 92.26%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 19:00
Updated-10 Jun, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC18 SetIPTVCfg formSetIptv command injection

A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetIptv of the file /goform/SetIPTVCfg. The manipulation of the argument list leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac18ac18_firmwareAC18
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-10431
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.37% / 85.17%
||
7 Day CHG~0.00%
Published-26 Apr, 2018 | 17:00
Updated-05 Aug, 2024 | 07:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-615 2.5.17 devices allow Remote Code Execution via shell metacharacters in the Host field of the System / Traceroute screen.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-615_firmwaredir-615n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5502
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-11.56% / 93.73%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 14:00
Updated-06 Jun, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK X15 formMapReboot command injection

A vulnerability, which was classified as critical, has been found in TOTOLINK X15 1.0.0-B20230714.1105. Affected by this issue is the function formMapReboot of the file /boafrm/formMapReboot. The manipulation of the argument deviceMacAddr leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-x15x15_firmwareX15
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-5571
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-3.59% / 87.91%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 05:31
Updated-15 Jul, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DCS-932L setSystemAdmin os command injection

A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-D-Link Corporation
Product-dcs-932ldcs-932l_firmwareDCS-932L
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-0330
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.31% / 54.53%
||
7 Day CHG~0.00%
Published-20 Jun, 2018 | 21:00
Updated-29 Nov, 2024 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the NX-API management application programming interface (API) in devices running, or based on, Cisco NX-OS Software could allow an authenticated, remote attacker to execute commands with elevated privileges. The vulnerability is due to a failure to properly validate certain parameters included within an NX-API request. An attacker that can successfully authenticate to the NX-API could submit a request designed to bypass NX-OS role assignment. A successful exploit could allow the attacker to execute commands with elevated privileges. This vulnerability affects the following if configured to use the NX-API feature: MDS 9000 Series Multilayer Switches, Nexus 2000 Series Switches, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode. Cisco Bug IDs: CSCvc73177, CSCve40903, CSCve40911.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-nexus_56128pnexus_9332pqnexus_3132q-xnexus_93108tc-exnexus_3172tqnx-osnexus_9508nexus_3100-vnexus_3636c-rnexus_93120txnexus_n9k-x9636c-rnexus_93128txnexus_3548-xlnexus_31128pqnexus_6001pnexus_3164qnexus_5020nexus_3172tq-32tnexus_3132c-znexus_3524-xnexus_5548pnexus_5648qmds_9000nexus_9272qnexus_5672upnexus_3264qnexus_34180ycnexus_3064-32tnexus_5596upnexus_3548nexus_3132qnexus_3016nexus_9372pxnexus_5696qnexus_92304qcnexus_92160yc-xnexus_n9k-x9636q-rnexus_n9k-c9508-fm-rnexus_9504nexus_3048nexus_3524-xlnexus_9396txnexus_7000nexus_3172pqnexus_3064-xnexus_3232cnexus_5548upnexus_9396pxnexus_5010nexus_5000nexus_5596tnexus_3264c-enexus_9372txnexus_5624qnexus_3548-xnexus_3132q-xlnexus_3064-tnexus_93180yc-exnexus_6001tnexus_172tq-xlnexus_c36180yc-rnexus_9236cnexus_9516nexus_3172pq-xlnexus_7700Cisco NX-OS unknown
CWE ID-CWE-264
Not Available
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5515
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-4.06% / 88.67%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 17:31
Updated-04 Jun, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK X2000R formMapDel command injection

A vulnerability, which was classified as critical, has been found in TOTOLINK X2000R 1.0.0-B20230726.1108. Affected by this issue is some unknown functionality of the file /boafrm/formMapDel. The manipulation of the argument devicemac1 leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-X2000R
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5492
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 73.40%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 10:31
Updated-15 Jul, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-500WF-WT /usr/sbin/jhttpd msp_info.htm sub_456DE8 command injection

A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the component /usr/sbin/jhttpd. The manipulation of the argument cmd leads to command injection. The attack can be launched remotely.

Action-Not Available
Vendor-D-Link Corporation
Product-di-500wf-wt_firmwaredi-500wf-wtDI-500WF-WT
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5573
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-4.79% / 89.59%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 06:00
Updated-06 Jun, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DCS-932L setSystemWizard setSystemControl os command injection

A vulnerability was found in D-Link DCS-932L 2.18.01. It has been rated as critical. Affected by this issue is the function setSystemWizard/setSystemControl of the file /setSystemWizard. The manipulation of the argument AdminID leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-D-Link Corporation
Product-dcs-932ldcs-932l_firmwareDCS-932L
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5445
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.43% / 92.44%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 12:31
Updated-10 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 RP_checkFWByBBS os command injection

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 and classified as critical. Affected by this issue is the function RP_checkFWByBBS of the file /goform/RP_checkFWByBBS. The manipulation of the argument type/ch/ssidhex/security/extch/pwd/mode/ip/nm/gw leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re6350re6350_firmwarere6500re7000_firmwarere6300_firmwarere6500_firmwarere6300re6250_firmwarere9000_firmwarere7000re6250re9000RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5444
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.43% / 92.44%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 12:00
Updated-10 Jun, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 RP_UpgradeFWByBBS os command injection

A vulnerability has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 and classified as critical. Affected by this vulnerability is the function RP_UpgradeFWByBBS of the file /goform/RP_UpgradeFWByBBS. The manipulation of the argument type/ch/ssidhex/security/extch/pwd/mode/ip/nm/gw leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re6350re6350_firmwarere6500re7000_firmwarere6300_firmwarere6500_firmwarere6300re6250_firmwarere9000_firmwarere7000re6250re9000RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5439
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-5.39% / 90.22%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 09:31
Updated-02 Jul, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 verifyFacebookLike os command injection

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been rated as critical. Affected by this issue is the function verifyFacebookLike of the file /goform/verifyFacebookLike. The manipulation of the argument uid/accessToken leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re9000_firmwarere6250re7000re6300re6300_firmwarere7000_firmwarere6500_firmwarere9000re6350re6350_firmwarere6250_firmwarere6500RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-0569
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-1.00% / 77.21%
||
7 Day CHG~0.00%
Published-26 Jun, 2018 | 14:00
Updated-05 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-basercmsbaserCMS Users Community
Product-basercmsbaserCMS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5438
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.41% / 92.42%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 09:00
Updated-02 Jul, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 WPS command injection

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been declared as critical. Affected by this vulnerability is the function WPS of the file /goform/WPS. The manipulation of the argument PIN leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re9000_firmwarere6250re7000re6300re6300_firmwarere7000_firmwarere6500_firmwarere9000re6350re6350_firmwarere6250_firmwarere6500RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-5441
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-6.39% / 91.12%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 10:31
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 setDeviceURL os command injection

A vulnerability classified as critical was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function setDeviceURL of the file /goform/setDeviceURL. The manipulation of the argument DeviceURL leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5442
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-6.39% / 91.12%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 11:00
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 RP_pingGatewayByBBS os command injection

A vulnerability, which was classified as critical, has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This issue affects the function RP_pingGatewayByBBS of the file /goform/RP_pingGatewayByBBS. The manipulation of the argument ip/nm/gw leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5443
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.43% / 92.44%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 11:31
Updated-10 Jun, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 wirelessAdvancedHidden os command injection

A vulnerability, which was classified as critical, was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function wirelessAdvancedHidden of the file /goform/wirelessAdvancedHidden. The manipulation of the argument ExtChSelector/24GSelector/5GSelector leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re6350re6350_firmwarere6500re7000_firmwarere6300_firmwarere6500_firmwarere6300re6250_firmwarere9000_firmwarere7000re6250re9000RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5440
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-5.39% / 90.22%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 10:00
Updated-02 Jul, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 NTP os command injection

A vulnerability classified as critical has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function NTP of the file /goform/NTP. The manipulation of the argument manual_year_select/manual_month_select/manual_day_select/manual_hour_select/manual_min_select/manual_sec_select leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re9000_firmwarere6250re7000re6300re6300_firmwarere7000_firmwarere6500_firmwarere9000re6350re6350_firmwarere6250_firmwarere6500RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • ...
  • 10
  • 11
  • 12
  • ...
  • 18
  • 19
  • Next
Details not found