Total
5595 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4627 | 1 D-link | 2 Dir-825, Dir-825r | 2026-03-24 | 7.2 High |
| A vulnerability was found in D-Link DIR-825 and DIR-825R 1.0.5/4.5.1. Affected is the function handler_update_system_time of the file libdeuteron_modules.so of the component NTP Service. The manipulation results in os command injection. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-32608 | 1 Nicolargo | 1 Glances | 2026-03-24 | 7 High |
| Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue. | ||||
| CVE-2026-27811 | 1 Roxy-wi | 1 Roxy-wi | 2026-03-24 | 8.8 High |
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue. | ||||
| CVE-2026-30703 | 1 Shenzhen Yuner Yipu | 1 Wdr201a | 2026-03-24 | 9.8 Critical |
| A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality. | ||||
| CVE-2026-28673 | 1 Danvei233 | 1 Xiaoheifs | 2026-03-24 | 7.2 High |
| xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue. | ||||
| CVE-2026-4253 | 1 Tenda | 2 Ac8, Ac8 Firmware | 2026-03-24 | 4.7 Medium |
| A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-23759 | 1 Perle Systems | 2 Iolan Scs, Iolan Sts | 2026-03-24 | 7.2 High |
| Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow authenticated OS command injection via the restricted shell accessed over Telnet or SSH. The shell 'ps' command does not perform proper argument sanitization and passes user-supplied parameters into an 'sh -c' invocation running as root. An authenticated attacker who can log in to the device can inject shell metacharacters after the 'ps' subcommand to execute arbitrary OS commands with root privileges, leading to full compromise of the underlying operating system. | ||||
| CVE-2026-32298 | 1 Angeet | 1 Es3 Kvm | 2026-03-24 | 9.1 Critical |
| The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands. | ||||
| CVE-2026-31386 | 1 Litespeed Technologies | 2 Lsws Enterprise, Openlitespeed | 2026-03-24 | N/A |
| OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege. | ||||
| CVE-2026-32003 | 1 Openclaw | 1 Openclaw | 2026-03-23 | 6.6 Medium |
| OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion. | ||||
| CVE-2026-32010 | 1 Openclaw | 1 Openclaw | 2026-03-23 | 6.3 Medium |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrary external programs without operator approval in allowlist mode with ask=on-miss enabled. | ||||
| CVE-2025-34514 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2026-03-23 | 8.8 High |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated attacker to execute arbitrary commands. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2025-34513 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2026-03-23 | 9.8 Critical |
| Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain an OS command injection vulnerability in mbus_build_from_csv.php that allows an unauthenticated attacker to execute arbitrary code. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. | ||||
| CVE-2025-34187 | 1 Ilevia | 3 Eve X1 Server, Eve X1 Server Firmware, Eve X5 Server | 2026-03-23 | 8.8 High |
| Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a misconfiguration in the sudoers file that allows passwordless execution of certain Bash scripts. If these scripts are writable by web-facing users or accessible via command injection, attackers can replace them with malicious payloads. Execution with sudo grants full root access, resulting in remote privilege escalation and potential system compromise. | ||||
| CVE-2025-34186 | 1 Ilevia | 3 Eve X1 Server, Eve X1 Server Firmware, Eve X5 Server | 2026-03-23 | 9.8 Critical |
| Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Due to the binary's interpretation of non-zero exit codes as successful authentication, remote attackers can bypass authentication and gain full access to the system. | ||||
| CVE-2025-34184 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2026-03-23 | 9.8 Critical |
| Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains an unauthenticated OS command injection vulnerability in the /ajax/php/login.php script. Remote attackers can execute arbitrary system commands by injecting payloads into the 'passwd' HTTP POST parameter, leading to full system compromise or denial of service. | ||||
| CVE-2025-34132 | 1 Tvt | 1 Dvr Firmware | 2026-03-23 | N/A |
| A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. | ||||
| CVE-2025-34129 | 1 Tvt | 1 Dvr Firmware | 2026-03-23 | N/A |
| A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This vulnerability was exploited in the wild by the Moobot botnets. | ||||
| CVE-2019-25289 | 1 Inim | 1 Smartliving Smartlan | 2026-03-23 | 8.8 High |
| SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. | ||||
| CVE-2015-10145 | 1 Gargoyle-router | 1 Gargoyle | 2026-03-23 | 8.8 High |
| Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands. | ||||