Total
2937 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57199 | 1 Avtech | 1 Dgm1104 | 2025-12-04 | 8.8 High |
| AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2025-57198 | 1 Avtech | 1 Dgm1104 | 2025-12-04 | 8.8 High |
| AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2025-65946 | 1 Roocode | 2 Roo-code, Roo Code | 2025-12-04 | 8.1 High |
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. | ||||
| CVE-2025-37163 | 2 Arubanetworks, Hpe | 2 Airwave, Aruba Airwave | 2025-12-03 | 7.2 High |
| A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system. | ||||
| CVE-2025-66219 | 1 Willitmerge Project | 1 Willitmerge | 2025-12-01 | N/A |
| willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public. | ||||
| CVE-2025-13562 | 2 D-link, Dlink | 3 Dir-852, Dir-852, Dir-852 Firmware | 2025-11-26 | 7.3 High |
| A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-63674 | 1 Blurams | 1 Lumi Security Camera A31c | 2025-11-26 | 6.1 Medium |
| An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. | ||||
| CVE-2025-11921 | 1 Bjango | 1 Istats | 2025-11-25 | N/A |
| iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | ||||
| CVE-2017-7798 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Enterprise Linux and 5 more | 2025-11-25 | N/A |
| The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR < 52.3 and Firefox < 55. | ||||
| CVE-2025-13442 | 1 Utt | 1 750w | 2025-11-21 | 7.3 High |
| A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6945 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 3.5 Low |
| GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments. | ||||
| CVE-2024-7700 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2025-11-20 | 6.5 Medium |
| A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script. | ||||
| CVE-2024-2947 | 1 Redhat | 1 Enterprise Linux | 2025-11-20 | 7.3 High |
| A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | ||||
| CVE-2025-55227 | 1 Microsoft | 5 Sql Server, Sql Server 2016, Sql Server 2017 and 2 more | 2025-11-20 | 8.8 High |
| Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-55319 | 1 Microsoft | 1 Visual Studio Code | 2025-11-20 | 8.8 High |
| Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2025-63749 | 1 Pnetlab | 1 Pnetlab | 2025-11-20 | 6.5 Medium |
| pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter. | ||||
| CVE-2025-37162 | 1 Hpe | 1 Aruba Networking 100 Series Cellular Bridge | 2025-11-20 | 6.5 Medium |
| A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | ||||
| CVE-2024-3154 | 1 Redhat | 1 Openshift | 2025-11-20 | 7.2 High |
| A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. | ||||
| CVE-2025-11335 | 2 D-link, Dlink | 3 Di-7100g C1, Di-7100g C1, Di-7100g C1 Firmware | 2025-11-19 | 4.7 Medium |
| A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11407 | 2 D-link, Dlink | 3 Di-7001 Mini, Di-7001mini-8g, Di-7001mini-8g Firmware | 2025-11-19 | 6.3 Medium |
| A weakness has been identified in D-Link DI-7001 MINI 24.04.18B1. Impacted is an unknown function of the file /upgrade_filter.asp. This manipulation of the argument path causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||