Search Results (21066 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-28033 2026-04-15 7.3 High
OS command injection vulnerability exists in WebProxy 1.7.8 and 1.7.9, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using WebProxy 1.7.8 and 1.7.9.
CVE-2025-54763 1 Centurysys 5 Futurenet Ip-k Series, Futurenet Ma-e300 Series, Futurenet Ma-p Series and 2 more 2026-04-15 7.2 High
FutureNet MA and IP-K series provided by Century Systems Co., Ltd. contain an OS command Injection vulnerability. A user who logs in to the Web UI of the product may execute an arbitrary OS command.
CVE-2025-41427 1 Elecom 3 Wrc-x3000gs, Wrc-x3000gsa, Wrc-x3000gsn 2026-04-15 N/A
WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed.
CVE-2025-59051 1 Freepbx 1 Endpoint Manager 2026-04-15 N/A
The FreePBX Endpoint Manager module includes a Network Scanning feature that provides web-based access to nmap functionality for network device discovery. In Endpoint Manager 16 before 16.0.92 and 17 before 17.0.6, insufficiently sanitized user-supplied input allows authenticated OS command execution as the asterisk user. Authentication with a known username is required. Updating to Endpoint Manager 16.0.92 or 17.0.6 addresses the issue.
CVE-2025-33234 1 Nvidia 1 Runx 2026-04-15 7.8 High
NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2024-10573 1 Redhat 1 Enterprise Linux 2026-04-15 6.7 Medium
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
CVE-2015-10141 2026-04-15 5.6 Medium
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
CVE-2025-29534 2026-04-15 8.8 High
An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which is passed to a system-level function call.
CVE-2025-15063 1 Ollama 1 Mcp Server 2026-04-15 N/A
Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683.
CVE-2024-9042 1 Redhat 1 Windows Machine Config 2026-04-15 5.9 Medium
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
CVE-2024-33434 1 Tiagorlampert 1 Chaos 2026-04-15 9.8 Critical
An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.
CVE-2024-27172 1 Toshibatec 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more 2026-04-15 9.8 Critical
Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL.
CVE-2025-10589 1 N-partner 3 N-cloud, N-probe, N-reporter 2026-04-15 8.8 High
The N-Reporter, N-Cloud, and N-Probe developed by N-Partner has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
CVE-2025-20055 2026-04-15 9.8 Critical
OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340 provided by Y'S corporation. An attacker who can access the affected product may execute an arbitrary OS command.
CVE-2025-41237 1 Vmware 3 Esxi, Fusion, Workstation 2026-04-15 9.3 Critical
VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2025-34073 2026-04-15 N/A
An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.
CVE-2025-1038 1 Hitachienergy 1 Tropos 2026-04-15 N/A
The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device.
CVE-2025-1036 1 Hitachienergy 1 Tropos 2026-04-15 N/A
Command injection vulnerability exists in the “Logging” page of the web-based configuration utility. An authenticated user with low privileged network access for the configuration utility can execute arbitrary commands on the underlying OS to obtain root SSH access to the TropOS 4th Gen device.
CVE-2012-10039 1 Zevenet 1 Zen Load Balancer 2026-04-15 N/A
ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor.
CVE-2025-65480 1 Pacom 1 Unison Client 2026-04-15 8.8 High
An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution.