Search Results (21036 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36360 1 Keisuke Nakayama 1 Awkblog 2026-04-15 9.8 Critical
OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the affected product on the machine running the product.
CVE-2024-29222 2026-04-15 6.1 Medium
Out-of-bounds write for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-28125 1 Fitnesse 1 Fitnesse 2026-04-15 9.8 Critical
FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.
CVE-2024-28048 2026-04-15 9.8 Critical
OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using ffBull ver.4.11.
CVE-2024-27980 2026-04-15 N/A
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
CVE-2025-52994 1 Phpthumb Project 1 Phpthumb 2026-04-15 4.9 Medium
gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.
CVE-2025-34152 1 Shenzhen Aitemi 2 M300, M300 Wifi Repeater 2026-04-15 N/A
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.
CVE-2025-34148 1 Shenzhen Aitemi 2 M300, M300 Wifi Repeater 2026-04-15 N/A
An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.
CVE-2024-52587 1 Step Security 1 Harden Runner 2026-04-15 8.8 High
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
CVE-2025-50121 2026-04-15 N/A
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP when enabled. HTTP is disabled by default.
CVE-2025-65001 1 Fujitsu 1 Fbiosdrv 2026-04-15 8.2 High
Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability.
CVE-2025-34132 1 Tvt 1 Dvr Firmware 2026-04-15 N/A
A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface.
CVE-2025-58062 1 Lstm-kirigaya 1 Openmcp-client 2026-04-15 N/A
LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command injection attack in the open() invocation, leading to client system compromise. This issue has been patched in version 0.1.12.
CVE-2025-34103 1 Barco 1 Wepresent Wipg-1000p Firmware 2026-04-15 N/A
An unauthenticated command injection vulnerability exists in WePresent WiPG-1000 firmware versions prior to 2.2.3.0, due to improper input handling in the undocumented /cgi-bin/rdfs.cgi endpoint. The Client parameter is not sanitized before being passed to a system call, allowing an unauthenticated remote attacker to execute arbitrary commands as the web server user.
CVE-2024-53992 1 Emd115 1 Unzip Bot 2026-04-15 N/A
unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This vulnerability is fixed in 7.0.3a.
CVE-2024-13892 2026-04-15 N/A
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to command injection. During the initialization process, a user has to use a mobile app to provide devices with Access Point credentials. This input is not properly sanitized, what allows for command injection. The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.
CVE-2024-53939 1 Victure 1 Rx1800 Firmware 2026-04-15 8.8 High
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint is vulnerable to command injection through the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute arbitrary commands on the device (with root-level permissions) via crafted input.
CVE-2024-34013 1 Acronis 1 True Image 2026-04-15 N/A
Local privilege escalation due to OS command injection vulnerability. The following products are affected: Acronis True Image (macOS) before build 41396, Acronis True Image OEM (macOS) before build 42571.
CVE-2024-2742 2026-04-15 6.4 Medium
Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality.
CVE-2024-6507 1 Deeplake 1 Deeplake 2026-04-15 8.1 High
Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API