Total
5620 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54382 | 1 Cherry-ai | 1 Cherry Studio | 2025-12-01 | 9.7 Critical |
| Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server’s implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2. | ||||
| CVE-2025-35028 | 1 Hexstrike-ai Project | 1 Hexstrike-ai | 2025-12-01 | 9.1 Critical |
| By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025). | ||||
| CVE-2025-34152 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2025-12-01 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes. | ||||
| CVE-2025-34151 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2025-12-01 | N/A |
| A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution. | ||||
| CVE-2025-34150 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2025-12-01 | N/A |
| The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges. | ||||
| CVE-2025-34149 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2025-12-01 | N/A |
| A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup. | ||||
| CVE-2025-34148 | 1 Shenzhen Aitemi | 2 M300, M300 Wifi Repeater | 2025-12-01 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise. | ||||
| CVE-2025-34147 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-12-01 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise. | ||||
| CVE-2025-64128 | 1 Zenitel | 1 Tciv-3+ | 2025-12-01 | 10 Critical |
| An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands. | ||||
| CVE-2025-64127 | 1 Zenitel | 1 Tciv-3+ | 2025-12-01 | 10 Critical |
| An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely. | ||||
| CVE-2025-62354 | 1 Cursor | 1 Cursor | 2025-12-01 | 9.8 Critical |
| Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution. | ||||
| CVE-2022-50596 | 1 Dlink | 2 Dir-1260, Dir-1260 Firmware | 2025-11-28 | 9.8 Critical |
| D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local and Wi-Fi networks and optionally from the Internet. | ||||
| CVE-2023-30805 | 1 Sangfor | 1 Next-gen Application Firewall | 2025-11-28 | 9.8 Critical |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /LogInOut.php endpoint. This is due to mishandling of shell meta-characters in the "un" parameter. | ||||
| CVE-2025-13284 | 1 Thinplus | 1 Thinplus | 2025-11-27 | 9.8 Critical |
| ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | ||||
| CVE-2025-34322 | 1 Nagios | 1 Log Server | 2025-11-26 | 7.2 High |
| Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the global configuration and concatenated into a shell command that is executed via shell_exec() without proper input handling or command-line argument sanitation. An authenticated user with access to the 'Global Settings' page can supply crafted values in these fields to inject additional shell commands, resulting in arbitrary command execution as the 'www-data' user and compromise of the Log Server host. | ||||
| CVE-2025-12742 | 1 Google | 1 Cloud Looker | 2025-11-26 | N/A |
| A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | ||||
| CVE-2018-25126 | 1 Tvt | 1 Nvms-9000 Firmware | 2025-11-25 | N/A |
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | ||||
| CVE-2025-55055 | 2 Maxum, Maxum Development Corporation | 2 Rumpus, Rumpus Ftp Server | 2025-11-24 | 6.8 Medium |
| CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2025-13087 | 1 Opto22 | 2 Groov Rio, Grv‑epic | 2025-11-24 | 6.2 Medium |
| A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root. | ||||
| CVE-2023-30806 | 1 Sangfor | 2 Net-gen Application Firewall, Next-gen Application Firewall | 2025-11-22 | 9.8 Critical |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie. | ||||