Export limit exceeded: 341868 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (5751 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-48842 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-06-03 | 9.8 Critical |
| D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi. | ||||
| CVE-2024-23826 | 1 Se.math.spbu | 1 Spbu Se Site | 2025-06-02 | 6.8 Medium |
| spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release. | ||||
| CVE-2025-4010 | 2025-06-02 | N/A | ||
| The Netcom NTC 6200 and NWL 222 series expose a web interface to be configured and set up by operators. Multiple endpoints of the web interface are vulnerable to arbitrary command injection and use insecure hardcoded passwords. Remote authenticated attackers can gain arbitrary code execution with elevated privileges. | ||||
| CVE-2025-5113 | 2025-06-02 | N/A | ||
| The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used. | ||||
| CVE-2025-46807 | 2025-06-02 | 5.3 Medium | ||
| A Allocation of Resources Without Limits or Throttling vulnerability in sslh allows attackers to easily exhaust the file descriptors in sslh and deny legitimate users service.This issue affects sslh before 2.2.4. | ||||
| CVE-2025-3475 | 1 Europa | 1 Web-t | 2025-06-02 | 6.5 Medium |
| Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0. | ||||
| CVE-2024-20287 | 1 Cisco | 2 Wap371, Wap371 Firmware | 2025-06-02 | 6.5 Medium |
| A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device. To exploit this vulnerability, the attacker must have valid administrative credentials for the device. | ||||
| CVE-2024-57338 | 2025-05-30 | 6.5 Medium | ||
| An arbitrary file upload vulnerability in M2Soft CROWNIX Report & ERS v5.x to v5.5.14.1070, v7.x to v7.4.3.960, and v8.x to v8.2.0.345 allows attackers to execute arbitrary code via supplying a crafted file. | ||||
| CVE-2024-57337 | 2025-05-30 | 6.5 Medium | ||
| An arbitrary file upload vulnerability in the opcode 500 functionality of M2Soft CROWNIX Report & ERS v5.x to v5.5.14.1070, v7.x to v7.4.3.960, and v8.x to v8.2.0.345 allows attackers to execute arbitrary code via supplying a crafted file. | ||||
| CVE-2022-25313 | 6 Debian, Fedoraproject, Libexpat Project and 3 more | 8 Debian Linux, Fedora, Libexpat and 5 more | 2025-05-30 | 6.5 Medium |
| In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | ||||
| CVE-2019-15903 | 3 Libexpat Project, Python, Redhat | 5 Libexpat, Python, Enterprise Linux and 2 more | 2025-05-30 | 6.5 Medium |
| In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. | ||||
| CVE-2025-44084 | 1 Dlink | 2 Di-8100, Di-8100g Firmware | 2025-05-30 | 9.8 Critical |
| D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system. | ||||
| CVE-2024-22663 | 1 Totolink | 2 A3700r, A3700r Firmware | 2025-05-30 | 9.8 Critical |
| TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg | ||||
| CVE-2023-52039 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-05-30 | 9.8 Critical |
| An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function. | ||||
| CVE-2023-52038 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-05-30 | 9.8 Critical |
| An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function. | ||||
| CVE-2023-50274 | 1 Hp | 1 Oneview | 2025-05-30 | 7.8 High |
| HPE OneView may allow command injection with local privilege escalation. | ||||
| CVE-2024-22545 | 1 Trendnet | 2 Tew-824dru, Tew-824dru Firmware | 2025-05-29 | 7.8 High |
| An issue was discovered in TRENDnet TEW-824DRU version 1.04b01, allows unauthenticated attackers to execute arbitrary code via the system.ntp.server parameter in the sub_420AE0() function. The attack can be launched remotely. | ||||
| CVE-2023-51833 | 1 Trendnet | 2 Tew-411brpplus, Tew-411brpplus Firmware | 2025-05-29 | 8.1 High |
| A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page. | ||||
| CVE-2024-57590 | 1 Trendnet | 2 Tew-632brp, Tew-632brp Firmware | 2025-05-29 | 9.8 Critical |
| TRENDnet TEW-632BRP v1.010B31 devices have an OS command injection vulnerability in the CGl interface "ntp_sync.cgi",which allows remote attackers to execute arbitrary commands via parameter "ntp_server" passed to the "ntp_sync.cgi" binary through a POST request. | ||||
| CVE-2025-0993 | 1 Gitlab | 1 Gitlab | 2025-05-29 | 7.5 High |
| An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources. | ||||