Total
5552 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34940 | 1 Kubeai-project | 1 Kubeai | 2026-04-07 | N/A |
| KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2. | ||||
| CVE-2026-5677 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-5678 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument mode can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-35020 | 1 Anthropic | 2 Claude Agent Sdk For Python, Claude Code | 2026-04-07 | 8.4 High |
| Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI. | ||||
| CVE-2026-35021 | 1 Anthropic | 2 Claude Agent Sdk For Python, Claude Code | 2026-04-07 | 7.8 High |
| Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI. | ||||
| CVE-2026-35022 | 1 Anthropic | 2 Claude Agent Sdk For Python, Claude Code | 2026-04-07 | 9.8 Critical |
| Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration. | ||||
| CVE-2026-5679 | 1 Totolink | 2 A3300r, A3300r Firmware | 2026-04-07 | 5.5 Medium |
| A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-5707 | 1 Aws | 1 Research And Engineering Studio | 2026-04-07 | 8.8 High |
| Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. | ||||
| CVE-2026-5709 | 1 Aws | 1 Research And Engineering Studio | 2026-04-07 | 8.8 High |
| Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. | ||||
| CVE-2026-5688 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-5689 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setNtpCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument tz results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | ||||
| CVE-2026-5690 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. | ||||
| CVE-2026-5691 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-5692 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2026-04-07 | 7.3 High |
| A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used. | ||||
| CVE-2026-4465 | 2 D-link, Dlink | 3 Dir-513, Dir-513, Dir-513 Firmware | 2026-04-07 | 6.3 Medium |
| A flaw has been found in D-Link DIR-513 1.10. The impacted element is an unknown function of the file /goform/formSysCmd. Executing a manipulation of the argument sysCmd can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-4499 | 2 D-link, Dlink | 3 Dir-820lw, Dir-820lw, Dir-820lw Firmware | 2026-04-07 | 7.3 High |
| A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-24154 | 1 Nvidia | 21 Jetson Agx Orin 32gb, Jetson Agx Orin 64gb, Jetson Agx Orin Developer Kit and 18 more | 2026-04-07 | 7.6 High |
| NVIDIA Jetson Linux has vulnerability in initrd, where an unprivileged attacker with physical access coul inject incorrect command line arguments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, data tampering, and information disclosure. | ||||
| CVE-2026-35386 | 1 Openbsd | 1 Openssh | 2026-04-07 | 3.6 Low |
| In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. | ||||
| CVE-2026-5485 | 1 Amazon | 1 Amazon Athena Odbc Driver | 2026-04-07 | 7.8 High |
| OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection. To remediate this issue, users should upgrade to version 2.0.5.1 or later. | ||||
| CVE-2026-31067 | 1 Utt | 1 520w | 2026-04-07 | 6.8 Medium |
| A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | ||||