Skip to main content

Command Injection

7746 CVEs technique

Monthly

CVE-2026-33648 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Command Injection Avideo
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-15519 HIGH PATCH NEWS This Week

A command injection vulnerability exists in the modem-management administrative CLI of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) due to improper input handling in CLI commands. An authenticated attacker with administrative privileges can inject crafted input into vulnerable CLI parameters to execute arbitrary operating system commands, compromising the confidentiality, integrity, and availability of the device. A patch is available from TP-Link, and no public exploit or active exploitation has been confirmed at this time.

TP-Link Command Injection
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-15518 HIGH PATCH NEWS This Week

A command injection vulnerability exists in the wireless-control administrative CLI command of TP-Link Archer NX series routers (models NX200, NX210, NX500, and NX600) due to improper input handling that allows crafted input to be executed as part of operating system commands. An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary commands on the device, compromising confidentiality, integrity, and availability. Patches are available from the vendor for all affected models and versions.

TP-Link Command Injection
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-4591 LOW POC Monitor

The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

PHP Command Injection
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-32968 CRITICAL Act Now

This is a critical OS command injection vulnerability in the com_mb24sysapi module of several MB Connect Line and Helmholz industrial remote access products. An unauthenticated remote attacker can execute arbitrary OS commands without any user interaction, leading to complete system compromise. This is a variant of CVE-2020-10383, suggesting similar attack patterns may be applicable, and the 9.8 CVSS score reflects the severe nature of network-accessible, authentication-free remote code execution in industrial control system components.

Command Injection Mb Connect Line Mbconnect24 Mymbconnect24 Myrex24V2 Myrex24V2 Virtual
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4585 HIGH POC This Week

A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.

Command Injection Easy7 Integrated Management Platform
NVD VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-24516 Go HIGH PATCH This Week

A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.

Command Injection Privilege Escalation RCE Code Injection Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4558 HIGH POC This Week

OS command injection in Linksys MR9600 mesh router firmware 2.0.6.206937 allows authenticated remote attackers to execute arbitrary system commands with router privileges via crafted Smart Connect configuration parameters. The vulnerability exists in the SmartConnect.lua file's smartConnectConfigure function, which fails to sanitize user input in configApSsid, configApPassphrase, srpLogin, and srpPassword arguments before passing them to system commands. Publicly available exploit code exists (GitHub POC), but EPSS indicates low (0.15%) exploitation probability and CISA has not listed this in KEV, suggesting limited real-world targeting. Vendor (Linksys) did not respond to researcher disclosure.

Linksys Command Injection
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.2%
CVE-2026-4554 LOW POC Monitor

Unauthenticated attackers can execute arbitrary commands on Tenda F453 routers (version 1.0.0.3) by injecting malicious input through the mac parameter in the /goform/WriteFacMac endpoint. Public exploit code exists for this vulnerability, enabling remote code execution with minimal attack complexity. A patch is not currently available.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-4543 LOW POC Monitor

Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. An attacker with network access and valid credentials could achieve code execution with the privileges of the web service.

Command Injection Wl Wn578w2
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-4537 LOW POC Monitor

Command injection in the IPSec controller of Cudy TR1200 routers (R46-2.4.15-20250721-164017) allows remote attackers with administrative privileges to execute arbitrary commands through the action_ipsec_conn function. Public exploit code is available for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires high-level access but involves minimal complexity and affects confidentiality, integrity, and availability.

Command Injection Tr1200
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-32056 npm HIGH POC PATCH GHSA This Week

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.

RCE Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32052 npm MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-33507 PHP HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33482 PHP HIGH This Week

Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33478 PHP CRITICAL POC PATCH GHSA Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
3.0%
CVE-2026-4499 MEDIUM POC This Month

An OS command injection vulnerability exists in the D-Link DIR-820LW router firmware version 2.03, specifically in the ssdpcgi_main function of the SSDP component. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands via manipulation of the HTTP_ST environment variable. A proof-of-concept exploit has been publicly disclosed on GitHub, making this an immediate concern for organizations using affected devices.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.7%
CVE-2026-4497 MEDIUM POC This Month

A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, specifically in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can exploit this flaw to execute arbitrary operating system commands on the affected device. A public proof-of-concept exploit has been released on GitHub, significantly lowering the barrier to exploitation and increasing real-world risk.

Command Injection Wa300
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.9%
CVE-2026-4496 LOW POC PATCH Monitor

Local command injection in sigmade Git-MCP-Server's merge diff functions allows authenticated local attackers to execute arbitrary OS commands through unsanitized input passed to child_process.exec in src/gitUtils.ts. Public exploit code exists for this vulnerability, increasing the risk of active abuse. A patch is available and should be applied immediately, as the vendor has not responded to early disclosure notifications.

Command Injection Git Mcp Server
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2025-15607 HIGH PATCH This Week

A command injection vulnerability exists in TP-Link AX53 v1 devices within the mscd debug functionality that allows authenticated attackers to execute arbitrary commands with full device control. The vulnerability stems from insufficient input validation on log redirection parameters, which can be abused to concatenate unvalidated file content into shell commands. A vendor patch is available, and this represents a critical control-plane compromise vector for affected router devices.

Command Injection Ax53 V1
NVD VulDB
CVSS 4.0
7.3
EPSS
0.5%
CVE-2026-22897 HIGH PATCH This Week

Remote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitrary system commands over the network with no user interaction required. The vulnerability stems from improper input validation in command processing functions, enabling complete system compromise. No patch is currently available for affected versions.

Command Injection Qunetswitch
NVD VulDB
CVSS 4.0
8.1
EPSS
1.1%
CVE-2026-22901 MEDIUM PATCH This Month

Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems with high impact to confidentiality and integrity. The vulnerability requires valid user credentials to exploit but poses significant risk to systems running versions prior to 2.0.5.0906. No patch is currently available for this CVSS 6.3 medium-severity issue.

Command Injection Qunetswitch
NVD VulDB
CVSS 4.0
6.3
EPSS
1.0%
CVE-2026-22902 MEDIUM PATCH This Month

Arbitrary command execution in QuNetSwitch can be achieved by local attackers with administrator privileges due to insufficient input validation in command processing. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, allowing authenticated high-privilege users to bypass security controls and execute system commands. No patch is currently available for affected versions.

Command Injection Qunetswitch
NVD VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-32950 HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4468 LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 allows remote attackers to execute arbitrary commands through the /cgi-bin/mbox-config endpoint with high privileges. The vulnerability requires administrative credentials but carries no authentication complexity, and public exploit code exists with no vendor patch available. Affected devices can be compromised remotely to achieve command execution with limited scope.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-4467 LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 wireless configuration endpoint allows unauthenticated remote attackers to execute arbitrary commands with elevated privileges through the /cgi-bin/mbox-config interface. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires network access but no user interaction, making it readily exploitable in exposed deployments.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-4466 LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/mbox-config endpoint's ntp_timezone parameter. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure notifications. An attacker with high-level privileges can leverage this to compromise device integrity and confidentiality.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-4465 LOW Monitor

OS command injection in D-Link DIR-513 1.10 via the /goform/formSysCmd endpoint allows authenticated remote attackers to execute arbitrary commands with network access. The vulnerability stems from insufficient input validation of the sysCmd parameter and has public exploit code available. No patch is available, and affected devices are no longer supported by D-Link.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.5%
CVE-2025-63261 HIGH This Week

AWStats 8.0 contains a command injection vulnerability in the open function that allows attackers to execute arbitrary system commands. The vulnerability affects the AWStats web analytics application, and attackers can exploit this flaw to achieve remote code execution on systems running vulnerable versions. A proof-of-concept has been documented in the referenced pentest-tools PDF, indicating practical exploitability.

Command Injection
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-32034 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated attackers to bypass device identity verification and gain high-privilege Control UI access when insecure authentication is enabled and the gateway uses unencrypted HTTP. An attacker with compromised credentials can exploit the lack of secure authentication enforcement to obtain unauthorized control access. The vulnerability requires network access and valid credentials but poses significant risk in environments where plaintext HTTP is used.

Authentication Bypass Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.1%
CVE-2026-32010 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow local authenticated attackers to bypass the safe-bin allowlist by exploiting sort's --compress-program flag, enabling execution of arbitrary programs despite allowlist restrictions. This command injection vulnerability affects deployments using safe-bin configuration with ask=on-miss mode enabled, permitting unauthorized code execution without operator approval.

Command Injection Openclaw
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-32003 npm MEDIUM PATCH GHSA This Month

OpenClaw versions before 2026.2.22 allow high-privileged attackers to execute arbitrary shell commands by injecting malicious environment variables into the system.run function, bypassing the intended command allowlist protections. By exploiting bash xtrace expansion through SHELLOPTS and PS4 variables, an attacker with request-scoped environment variable access can achieve code execution beyond the restricted command set. No patch is currently available for this command injection vulnerability.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-32194 CRITICAL PATCH Act Now

A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments.

Command Injection Microsoft
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32191 CRITICAL PATCH Act Now

A critical OS command injection vulnerability exists in Microsoft Bing Images that allows remote attackers to execute arbitrary commands without authentication. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. With a CVSS score of 9.8 and requiring no user interaction, this represents a severe risk to any systems running vulnerable versions of Bing Images.

Command Injection Microsoft
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26136 MEDIUM PATCH This Month

Microsoft Copilot is vulnerable to command injection through improper neutralization of special elements in user input, allowing an unauthenticated attacker to execute arbitrary commands and disclose sensitive information over the network. The vulnerability affects Microsoft Copilot (version details unspecified in available advisories) and requires user interaction to trigger. While no public proof-of-concept or active exploitation in the wild has been confirmed in the provided intelligence, the moderate CVSS score of 6.5 with high confidentiality impact warrants prompt patching.

Command Injection Microsoft
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24299 MEDIUM PATCH This Month

M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive information through the network. The vulnerability stems from inadequate sanitization of special characters in command inputs, requiring user interaction to trigger. No patch is currently available for this medium-severity flaw.

Command Injection 365 Copilot
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32238 CRITICAL PATCH Act Now

Command injection in OpenEMR's backup functionality (versions prior to 8.0.0.2) allows authenticated high-privilege users to execute arbitrary commands on the underlying system due to insufficient input validation. The CVSS 9.1 critical rating reflects the potential for complete system compromise, though exploitation requires valid administrative credentials. No patch is currently available for affected versions.

Command Injection Openemr
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-33351 PHP CRITICAL Act Now

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.

PHP Authentication Bypass Information Disclosure Command Injection SSRF
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33310 PyPI HIGH PATCH This Week

Unauthenticated remote code execution in catalog parsing allows attackers to execute arbitrary commands on the host system by embedding shell() syntax in malicious catalog YAML files accessed by users. The vulnerability exploits automatic expansion of parameter default values during catalog source loading without proper sanitization. No patch is currently available, and exploitation requires only user interaction to load a compromised catalog.

Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33319 PHP MEDIUM This Month

A command injection vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

PHP RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32000 npm MEDIUM PATCH This Month

Command injection in OpenClaw versions before 2026.2.19 allows local attackers with limited privileges to execute arbitrary commands when the Lobster extension tool falls back to Windows shell execution after subprocess failures. The vulnerability exists because the tool uses shell: true after spawn errors, enabling attackers to inject shell metacharacters into command arguments. A patch is available for affected users.

Command Injection Microsoft Windows
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.1%
CVE-2026-31999 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a current working directory (cwd) injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows local attackers to manipulate command execution through directory control during shell fallback mechanisms. An authenticated local attacker with low privileges can exploit this vulnerability to achieve command execution integrity loss by controlling the working directory, potentially leading to unauthorized code execution or privilege escalation. While no active in-the-wild exploitation has been reported in KEV databases, the vulnerability is documented with a proof-of-concept available through the vendor's security advisory on GitHub.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-31996 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain an input validation bypass in the tools.exec.safeBins component that allows local attackers with command execution privileges to circumvent stdin-only restrictions and perform arbitrary filesystem operations. By exploiting sort output flags (specifically the -o flag for arbitrary file writes) or recursive grep flags (-R for recursive file reads), authenticated attackers can read sensitive files or overwrite critical files despite intended access controls. While the CVSS score of 3.6 is moderate and requires local access with low privileges, the vulnerability represents a privilege escalation or sandbox escape technique rather than a critical remote exploit.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-31995 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31994 npm HIGH PATCH This Week

OpenClaw contains a local command injection vulnerability in Windows scheduled task script generation that allows authenticated local attackers to inject arbitrary commands through unsafe handling of cmd metacharacters and CR/LF sequences in gateway.cmd files. OpenClaw versions prior to 2026.2.19 are affected. Attackers with control over service script generation arguments can execute unintended code in the scheduled task context with high impact to integrity and availability.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-29607 npm HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in its allow-always wrapper persistence mechanism that enables remote code execution. Attackers with high privileges and user interaction can approve benign wrapped system.run commands, then subsequently execute arbitrary different payloads without requiring additional approval, compromising both gateway and node-host execution environments. A patch is available from the vendor, and this vulnerability is tagged as enabling both RCE and command injection attacks.

RCE Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-28460 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the system.run function that allows authenticated attackers to execute non-allowlisted commands by exploiting shell line-continuation characters to fold malicious command substitution past security controls. An attacker with low privileges (PR:L) can inject shell metacharacters (specifically $\ followed by newline and parenthesis within double quotes) to circumvent approval boundaries and execute arbitrary commands, resulting in integrity compromise and potential availability impact. A public advisory and patch are available from the vendor, though no EPSS score or KEV status was provided in the intelligence sources.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-27566 npm HIGH PATCH This Week

OpenClaw contains an allowlist bypass vulnerability in its system.run exec analysis that fails to properly unwrap wrapper binaries like env and bash. Attackers with low-level privileges can chain wrapper binaries to smuggle malicious commands that appear to satisfy allowlist entries while actually executing non-allowlisted payloads. A patch is available from the vendor, and the vulnerability was disclosed through VulnCheck advisory; no public proof-of-concept code or active exploitation (KEV listing) has been reported at this time.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-22176 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.19 allow local authenticated users to execute arbitrary commands by injecting shell metacharacters into environment variable values during Windows Scheduled Task script generation. The vulnerability stems from unquoted variable assignments in gateway.cmd that fail to sanitize special characters like &, |, ^, %, and !, enabling command injection when the task script runs. A patch is available to address this local privilege escalation risk.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-67113 CRITICAL Act Now

OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted...

Command Injection Code Injection RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33057 PyPI CRITICAL POC PATCH Act Now

An unauthenticated remote code execution vulnerability exists in the mesop Python package's debugging Flask server endpoint (/exec-py) that accepts and executes arbitrary base64-encoded Python code without any authentication or validation. The vulnerability affects the mesop pip package, with a publicly disclosed proof-of-concept demonstrating trivial exploitation requiring only a single HTTP POST request. With a CVSS score of 9.8 (Critical) and detailed PoC availability, this represents an immediately exploitable vulnerability for any exposed instance.

Command Injection Python RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-33067 Go CRITICAL PATCH Act Now

SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.

Command Injection Apple Microsoft XSS RCE +4
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-22317 HIGH PATCH This Week

Arbitrary command execution with root privileges affects multiple Fl Switch and Fl Nat devices through improper handling of HTTP POST requests in the Root CA certificate transfer workflow. An authenticated high-privileged attacker can exploit this command injection flaw to execute arbitrary commands on the underlying Linux operating system. No patch is currently available for the affected product versions.

Command Injection Fl Switch 2316 Pn Fl Switch 2005 Fl Switch Tsn 2316 Fl Switch 2206 2fx Sm +67
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22179 npm HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the macOS node-host system.run function that permits remote attackers with high privileges to execute arbitrary commands by exploiting improper parsing of command substitution tokens. Attackers can craft malicious shell payloads using command substitution syntax within double-quoted strings to circumvent security allowlists and achieve code execution. A patch is available from the vendor, and the vulnerability has been documented by VulnCheck with public advisory and GitHub security advisory references.

Command Injection Apple macOS
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-22169 npm HIGH PATCH This Week

OpenClaw versions before 2026.2.22 allow local attackers with high privileges to execute arbitrary commands through a safeBins allowlist bypass in the compress-program option, enabling unauthorized external program execution despite security constraints. The vulnerability exploits improper validation of the sort tool configuration to circumvent intended access controls. A patch is available to remediate this command injection flaw.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-28673 HIGH PATCH This Week

xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.

RCE Command Injection Xiaoheifs
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-27811 HIGH This Week

Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability.

Command Injection Apache Nginx
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-30703 CRITICAL Act Now

Unauthenticated remote code execution in WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) via command injection in the adm.cgi sysCMD parameter allows attackers to achieve complete system compromise without authentication or user interaction. The vulnerability stems from insufficient input validation on the web management interface and currently lacks a vendor patch.

Command Injection
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14031 HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the application by sending a specially crafted request. The vulnerability affects multiple versions of both products (6.1.0.0 through 6.2.2.0 ranges) and has a high CVSS score of 7.5 due to its network-based attack vector requiring no authentication or user interaction. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept availability at this time.

IBM Command Injection Sterling B2b Integrator
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32298 HIGH This Week

OS command execution in Angeet ES3 KVM allows authenticated administrators to execute arbitrary system commands through improper input validation in the cfg.lua script. An attacker with high-level privileges can leverage this vulnerability to achieve complete system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available for this critical vulnerability.

Command Injection Es3 Kvm
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-23759 HIGH PATCH This Week

Authenticated attackers can execute arbitrary commands as root on Perle IOLAN STS and SCS terminal servers (firmware <6.0) by injecting shell metacharacters through the restricted shell's 'ps' command. This command injection flaw (CWE-78) allows full operating system compromise after gaining access via Telnet or SSH. VulnCheck reported this vulnerability with vendor patch now available in firmware 6.0. EPSS score of 0.14% (34th percentile) indicates low predicted exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Command Injection Iolan Sts Iolan Scs
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-32759 Go MEDIUM PATCH This Month

Docker TUS resumable upload handler allows authenticated users to trigger arbitrary `after_upload` hooks unlimited times by supplying a negative value in the Upload-Length header, causing command execution with zero bytes actually uploaded. The integer overflow flaw in the completion logic (CWE-190) bypasses file upload requirements and enables privilege escalation through hook execution. No patch is currently available.

Integer Overflow Command Injection Denial Of Service Docker
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
1.0%
CVE-2026-32751 Go CRITICAL PATCH Act Now

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

Docker RCE XSS Node.js Command Injection +4
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-4253 LOW POC Monitor

OS command injection in Tenda AC8 16.03.50.11 web interface allows authenticated remote attackers to execute arbitrary commands through the wans.policy.list1 parameter in the /cgi-bin/UploadCfg endpoint. Public exploit code exists for this vulnerability and no patch is currently available.

Tenda Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.6%
CVE-2026-23862 HIGH PATCH This Week

Dell ThinOS 10 versions before 2602_10.0573 contain a command injection flaw that allows local attackers with low privileges to execute arbitrary commands and escalate their access rights. The vulnerability stems from improper sanitization of special elements in user-supplied input, requiring only local access and no user interaction to exploit. No patch is currently available.

Dell Command Injection
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-32608 PyPI HIGH PATCH This Week

Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.

Privilege Escalation Nginx Python Command Injection Docker +1
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-4198 LOW Monitor

Local command injection in hypermodel-labs mcp-server-auto-commit 1.0.0 via the getGitChanges function in index.ts allows authenticated local attackers to execute arbitrary commands with the privileges of the affected process. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

Command Injection
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-4197 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-325 series, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands through the /cgi-bin/download_mgr.cgi file's RSS management functions. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4196 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323-327L, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 through firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/remote_backup.cgi backup scheduling functions. Public exploit code exists for this vulnerability and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4195 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323 through DNS-1550-04 with firmware prior to 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/wizard_mgr.cgi endpoint. Public exploit code is available and no patch is currently available for affected users.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4228 LOW POC Monitor

Command injection in LB-LINK BL-WR9000 2.4.9 via the /goform/set_wifi endpoint allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code is available for this vulnerability, and no patch has been released by the vendor despite early disclosure notification.

Command Injection Bl Wr9000
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-31386 HIGH This Week

OS command injection in OpenLiteSpeed and LSWS Enterprise web servers from LiteSpeed Technologies allows administrative users to execute arbitrary operating system commands on the host. The flaw affects all versions of both products per ENISA EUVD and was reported by JPCERT/CC via JVN. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.16%, 37th percentile), but the high CVSS 4.0 score (8.6) reflects full confidentiality, integrity, and availability impact on the underlying host.

Command Injection Openlitespeed Lsws Enterprise
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-4210 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-327L, DNS-345 and others) through the time_machine.cgi script allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4209 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-120, DNS-325, DNR-322L, DNS-327L and others) allows authenticated remote attackers to execute arbitrary commands through multiple user and group management CGI functions. Public exploit code exists for this vulnerability, and patches are not currently available. An attacker with valid credentials could leverage this to compromise the NAS system and potentially access or manipulate stored data.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4207 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-325, DNS-343, DNR-322L and others) through the /cgi-bin/system_mgr.cgi interface allows authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4206 LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4205 LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4204 LOW POC Monitor

A security vulnerability in A flaw (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4203 LOW POC Monitor

Command injection in D-Link DNS and DNR network attached storage devices allows authenticated remote attackers to execute arbitrary commands through multiple CGI functions in the network management interface. The vulnerability affects numerous models up to firmware version 20260205, and public exploit code is available. An attacker with valid credentials can leverage this to compromise device integrity and potentially access the network.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4199 LOW POC PATCH Monitor

Command injection in bazinga012 mcp_code_executor up to version 0.3.0 allows local attackers with user-level privileges to execute arbitrary commands through the installDependencies function in src/index.ts. Public exploit code exists for this vulnerability, affecting Python and Node.js environments. A patch is available and should be applied to remediate this local privilege escalation risk.

Command Injection Mcp Code Executor
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2025-69902 CRITICAL Act Now

A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.

Command Injection RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4192 LOW POC Monitor

Remote command injection in Quip MCP Server 1.0.0 allows authenticated attackers to execute arbitrary system commands through the setupToolHandlers function in src/index.ts. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. The attack requires valid credentials but can be performed over the network with no user interaction needed.

Command Injection Quip Mcp Server
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-14287 PyPI HIGH PATCH This Week

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.

Command Injection RCE Code Injection Mlflow Mlflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4170 HIGH POC This Week

Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. The vendor has not responded to disclosure attempts, leaving systems unpatched.

Command Injection PHP
NVD VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-4164 HIGH POC PATCH This Week

Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.

Command Injection Wl Wn578w2
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-4163 HIGH POC PATCH This Week

Critical command injection vulnerability in Wavlink WL-WN579A3 wireless router firmware version 220323, allowing unauthenticated remote attackers to execute arbitrary commands via the SetName/GuestWifi functions in /cgi-bin/wireless.cgi. A public proof-of-concept exploit is available, and while a vendor patch exists, the vulnerability has not yet been added to CISA's KEV catalog despite its high severity (CVSS 9.8).

Command Injection Wl Wn579a3
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.2%
CVE-2025-54920 Maven HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization Apache Red Hat
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-3227 HIGH PATCH This Week

Authenticated attackers can achieve root-level command execution on TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 routers by uploading a malicious configuration file through the import function, exploiting improper input validation in the port-trigger processing logic. Successful exploitation grants complete control over the affected device, allowing full compromise of the router and any connected network. A patch is available for this high-severity vulnerability.

TP-Link Command Injection Tl Wr802n V4 Tl Wr841n V14 Tl Wr840n V6
NVD VulDB
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-26133 HIGH PATCH This Week

CVE-2026-26133 is an AI command injection vulnerability in Microsoft 365 Copilot and multiple Microsoft mobile/desktop applications that allows remote attackers to disclose sensitive information through crafted AI prompts. The vulnerability affects numerous Microsoft products across iOS, Android, and macOS platforms, requires user interaction, and has a patch available from Microsoft with no current evidence of active exploitation (not in KEV).

Command Injection Microsoft 365 Copilot For Android Microsoft 365 Copilot For Ios Microsoft Edge For Android Microsoft Edge For Ios +16
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-15060 CRITICAL Act Now

Command injection RCE in claude-hovercraft tool. EPSS 1.3%.

Command Injection RCE AI / ML Claude Hovercraft
NVD
CVSS 3.0
9.8
EPSS
1.3%
EPSS 0% CVSS 8.8
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Command Injection Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

A command injection vulnerability exists in the modem-management administrative CLI of TP-Link Archer NX-series routers (NX200, NX210, NX500, NX600) due to improper input handling in CLI commands. An authenticated attacker with administrative privileges can inject crafted input into vulnerable CLI parameters to execute arbitrary operating system commands, compromising the confidentiality, integrity, and availability of the device. A patch is available from TP-Link, and no public exploit or active exploitation has been confirmed at this time.

TP-Link Command Injection
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

A command injection vulnerability exists in the wireless-control administrative CLI command of TP-Link Archer NX series routers (models NX200, NX210, NX500, and NX600) due to improper input handling that allows crafted input to be executed as part of operating system commands. An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary commands on the device, compromising confidentiality, integrity, and availability. Patches are available from the vendor for all affected models and versions.

TP-Link Command Injection
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

PHP Command Injection
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

This is a critical OS command injection vulnerability in the com_mb24sysapi module of several MB Connect Line and Helmholz industrial remote access products. An unauthenticated remote attacker can execute arbitrary OS commands without any user interaction, leading to complete system compromise. This is a variant of CVE-2020-10383, suggesting similar attack patterns may be applicable, and the 9.8 CVSS score reflects the severe nature of network-accessible, authentication-free remote code execution in industrial control system components.

Command Injection Mb Connect Line Mbconnect24 Mymbconnect24 +2
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC This Week

A critical OS command injection vulnerability exists in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0, specifically in the ImportSystemConfiguration.jsp file's Configuration Handler. Attackers can remotely execute arbitrary operating system commands without authentication by manipulating the 'File' parameter. A public proof-of-concept exploit has been disclosed and is available, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.

Command Injection Easy7 Integrated Management Platform
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.

Command Injection Privilege Escalation RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

OS command injection in Linksys MR9600 mesh router firmware 2.0.6.206937 allows authenticated remote attackers to execute arbitrary system commands with router privileges via crafted Smart Connect configuration parameters. The vulnerability exists in the SmartConnect.lua file's smartConnectConfigure function, which fails to sanitize user input in configApSsid, configApPassphrase, srpLogin, and srpPassword arguments before passing them to system commands. Publicly available exploit code exists (GitHub POC), but EPSS indicates low (0.15%) exploitation probability and CISA has not listed this in KEV, suggesting limited real-world targeting. Vendor (Linksys) did not respond to researcher disclosure.

Linksys Command Injection
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

Unauthenticated attackers can execute arbitrary commands on Tenda F453 routers (version 1.0.0.3) by injecting malicious input through the mac parameter in the /goform/WriteFacMac endpoint. Public exploit code exists for this vulnerability, enabling remote code execution with minimal attack complexity. A patch is not currently available.

Tenda Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. An attacker with network access and valid credentials could achieve code execution with the privileges of the web service.

Command Injection Wl Wn578w2
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Command injection in the IPSec controller of Cudy TR1200 routers (R46-2.4.15-20250721-164017) allows remote attackers with administrative privileges to execute arbitrary commands through the action_ipsec_conn function. Public exploit code is available for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires high-level access but involves minimal complexity and affects confidentiality, integrity, and availability.

Command Injection Tr1200
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.

RCE Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF +3
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in PHP ffmpeg integration allows unauthenticated attackers to execute arbitrary OS commands on standalone encoder servers by bypassing incomplete input sanitization that fails to filter bash command substitution syntax. The vulnerable `sanitizeFFmpegCommand()` function strips common shell metacharacters but permits `$()` notation, which can be injected through crafted encrypted payloads and executed in a double-quoted shell context. No patch is currently available.

RCE PHP Command Injection
NVD GitHub VulDB
EPSS 3% CVSS 10.0
CRITICAL POC PATCH Act Now

A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.

RCE Command Injection PHP
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An OS command injection vulnerability exists in the D-Link DIR-820LW router firmware version 2.03, specifically in the ssdpcgi_main function of the SSDP component. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands via manipulation of the HTTP_ST environment variable. A proof-of-concept exploit has been publicly disclosed on GitHub, making this an immediate concern for organizations using affected devices.

Command Injection D-Link
NVD VulDB GitHub
EPSS 2% CVSS 5.5
MEDIUM POC This Month

A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, specifically in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can exploit this flaw to execute arbitrary operating system commands on the affected device. A public proof-of-concept exploit has been released on GitHub, significantly lowering the barrier to exploitation and increasing real-world risk.

Command Injection Wa300
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Local command injection in sigmade Git-MCP-Server's merge diff functions allows authenticated local attackers to execute arbitrary OS commands through unsanitized input passed to child_process.exec in src/gitUtils.ts. Public exploit code exists for this vulnerability, increasing the risk of active abuse. A patch is available and should be applied immediately, as the vendor has not responded to early disclosure notifications.

Command Injection Git Mcp Server
NVD VulDB GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Week

A command injection vulnerability exists in TP-Link AX53 v1 devices within the mscd debug functionality that allows authenticated attackers to execute arbitrary commands with full device control. The vulnerability stems from insufficient input validation on log redirection parameters, which can be abused to concatenate unvalidated file content into shell commands. A vendor patch is available, and this represents a critical control-plane compromise vector for affected router devices.

Command Injection Ax53 V1
NVD VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Remote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitrary system commands over the network with no user interaction required. The vulnerability stems from improper input validation in command processing functions, enabling complete system compromise. No patch is currently available for affected versions.

Command Injection Qunetswitch
NVD VulDB
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems with high impact to confidentiality and integrity. The vulnerability requires valid user credentials to exploit but poses significant risk to systems running versions prior to 2.0.5.0906. No patch is currently available for this CVSS 6.3 medium-severity issue.

Command Injection Qunetswitch
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Arbitrary command execution in QuNetSwitch can be achieved by local attackers with administrator privileges due to insufficient input validation in command processing. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, allowing authenticated high-privilege users to bypass security controls and execute system commands. No patch is currently available for affected versions.

Command Injection Qunetswitch
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 allows remote attackers to execute arbitrary commands through the /cgi-bin/mbox-config endpoint with high privileges. The vulnerability requires administrative credentials but carries no authentication complexity, and public exploit code exists with no vendor patch available. Affected devices can be compromised remotely to achieve command execution with limited scope.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 wireless configuration endpoint allows unauthenticated remote attackers to execute arbitrary commands with elevated privileges through the /cgi-bin/mbox-config interface. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires network access but no user interaction, making it readily exploitable in exposed deployments.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Command injection in Comfast CF-AC100 2.6.0.8 allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/mbox-config endpoint's ntp_timezone parameter. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure notifications. An attacker with high-level privileges can leverage this to compromise device integrity and confidentiality.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

OS command injection in D-Link DIR-513 1.10 via the /goform/formSysCmd endpoint allows authenticated remote attackers to execute arbitrary commands with network access. The vulnerability stems from insufficient input validation of the sysCmd parameter and has public exploit code available. No patch is available, and affected devices are no longer supported by D-Link.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

AWStats 8.0 contains a command injection vulnerability in the open function that allows attackers to execute arbitrary system commands. The vulnerability affects the AWStats web analytics application, and attackers can exploit this flaw to achieve remote code execution on systems running vulnerable versions. A proof-of-concept has been documented in the referenced pentest-tools PDF, indicating practical exploitability.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated attackers to bypass device identity verification and gain high-privilege Control UI access when insecure authentication is enabled and the gateway uses unencrypted HTTP. An attacker with compromised credentials can exploit the lack of secure authentication enforcement to obtain unauthorized control access. The vulnerability requires network access and valid credentials but poses significant risk in environments where plaintext HTTP is used.

Authentication Bypass Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow local authenticated attackers to bypass the safe-bin allowlist by exploiting sort's --compress-program flag, enabling execution of arbitrary programs despite allowlist restrictions. This command injection vulnerability affects deployments using safe-bin configuration with ask=on-miss mode enabled, permitting unauthorized code execution without operator approval.

Command Injection Openclaw
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow high-privileged attackers to execute arbitrary shell commands by injecting malicious environment variables into the system.run function, bypassing the intended command allowlist protections. By exploiting bash xtrace expansion through SHELLOPTS and PS4 variables, an attacker with request-scoped environment variable access can achieve code execution beyond the restricted command set. No patch is currently available for this command injection vulnerability.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments.

Command Injection Microsoft
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A critical OS command injection vulnerability exists in Microsoft Bing Images that allows remote attackers to execute arbitrary commands without authentication. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. With a CVSS score of 9.8 and requiring no user interaction, this represents a severe risk to any systems running vulnerable versions of Bing Images.

Command Injection Microsoft
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Copilot is vulnerable to command injection through improper neutralization of special elements in user input, allowing an unauthenticated attacker to execute arbitrary commands and disclose sensitive information over the network. The vulnerability affects Microsoft Copilot (version details unspecified in available advisories) and requires user interaction to trigger. While no public proof-of-concept or active exploitation in the wild has been confirmed in the provided intelligence, the moderate CVSS score of 6.5 with high confidentiality impact warrants prompt patching.

Command Injection Microsoft
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive information through the network. The vulnerability stems from inadequate sanitization of special characters in command inputs, requiring user interaction to trigger. No patch is currently available for this medium-severity flaw.

Command Injection 365 Copilot
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Command injection in OpenEMR's backup functionality (versions prior to 8.0.0.2) allows authenticated high-privilege users to execute arbitrary commands on the underlying system due to insufficient input validation. The CVSS 9.1 critical rating reflects the potential for complete system compromise, though exploitation requires valid administrative credentials. No patch is currently available for affected versions.

Command Injection Openemr
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.

PHP Authentication Bypass Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated remote code execution in catalog parsing allows attackers to execute arbitrary commands on the host system by embedding shell() syntax in malicious catalog YAML files accessed by users. The vulnerability exploits automatic expansion of parameter default values during catalog source loading without proper sanitization. No patch is currently available, and exploitation requires only user interaction to load a compromised catalog.

Command Injection Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

A command injection vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

PHP RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Command injection in OpenClaw versions before 2026.2.19 allows local attackers with limited privileges to execute arbitrary commands when the Lobster extension tool falls back to Windows shell execution after subprocess failures. The vulnerability exists because the tool uses shell: true after spawn errors, enabling attackers to inject shell metacharacters into command arguments. A patch is available for affected users.

Command Injection Microsoft Windows
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a current working directory (cwd) injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows local attackers to manipulate command execution through directory control during shell fallback mechanisms. An authenticated local attacker with low privileges can exploit this vulnerability to achieve command execution integrity loss by controlling the working directory, potentially leading to unauthorized code execution or privilege escalation. While no active in-the-wild exploitation has been reported in KEV databases, the vulnerability is documented with a proof-of-concept available through the vendor's security advisory on GitHub.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain an input validation bypass in the tools.exec.safeBins component that allows local attackers with command execution privileges to circumvent stdin-only restrictions and perform arbitrary filesystem operations. By exploiting sort output flags (specifically the -o flag for arbitrary file writes) or recursive grep flags (-R for recursive file reads), authenticated attackers can read sensitive files or overwrite critical files despite intended access controls. While the CVSS score of 3.6 is moderate and requires local access with low privileges, the vulnerability represents a privilege escalation or sandbox escape technique rather than a critical remote exploit.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw contains a local command injection vulnerability in Windows scheduled task script generation that allows authenticated local attackers to inject arbitrary commands through unsafe handling of cmd metacharacters and CR/LF sequences in gateway.cmd files. OpenClaw versions prior to 2026.2.19 are affected. Attackers with control over service script generation arguments can execute unintended code in the scheduled task context with high impact to integrity and availability.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in its allow-always wrapper persistence mechanism that enables remote code execution. Attackers with high privileges and user interaction can approve benign wrapped system.run commands, then subsequently execute arbitrary different payloads without requiring additional approval, compromising both gateway and node-host execution environments. A patch is available from the vendor, and this vulnerability is tagged as enabling both RCE and command injection attacks.

RCE Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the system.run function that allows authenticated attackers to execute non-allowlisted commands by exploiting shell line-continuation characters to fold malicious command substitution past security controls. An attacker with low privileges (PR:L) can inject shell metacharacters (specifically $\ followed by newline and parenthesis within double quotes) to circumvent approval boundaries and execute arbitrary commands, resulting in integrity compromise and potential availability impact. A public advisory and patch are available from the vendor, though no EPSS score or KEV status was provided in the intelligence sources.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw contains an allowlist bypass vulnerability in its system.run exec analysis that fails to properly unwrap wrapper binaries like env and bash. Attackers with low-level privileges can chain wrapper binaries to smuggle malicious commands that appear to satisfy allowlist entries while actually executing non-allowlisted payloads. A patch is available from the vendor, and the vulnerability was disclosed through VulnCheck advisory; no public proof-of-concept code or active exploitation (KEV listing) has been reported at this time.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.19 allow local authenticated users to execute arbitrary commands by injecting shell metacharacters into environment variable values during Windows Scheduled Task script generation. The vulnerability stems from unquoted variable assignments in gateway.cmd that fail to sanitize special characters like &, |, ^, %, and !, enabling command injection when the task script runs. A patch is available to address this local privilege escalation risk.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted...

Command Injection Code Injection RCE
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

An unauthenticated remote code execution vulnerability exists in the mesop Python package's debugging Flask server endpoint (/exec-py) that accepts and executes arbitrary base64-encoded Python code without any authentication or validation. The vulnerability affects the mesop pip package, with a publicly disclosed proof-of-concept demonstrating trivial exploitation requiring only a single HTTP POST request. With a CVSS score of 9.8 (Critical) and detailed PoC availability, this represents an immediately exploitable vulnerability for any exposed instance.

Command Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.

Command Injection Apple Microsoft +6
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Arbitrary command execution with root privileges affects multiple Fl Switch and Fl Nat devices through improper handling of HTTP POST requests in the Root CA certificate transfer workflow. An authenticated high-privileged attacker can exploit this command injection flaw to execute arbitrary commands on the underlying Linux operating system. No patch is currently available for the affected product versions.

Command Injection Fl Switch 2316 Pn Fl Switch 2005 +69
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the macOS node-host system.run function that permits remote attackers with high privileges to execute arbitrary commands by exploiting improper parsing of command substitution tokens. Attackers can craft malicious shell payloads using command substitution syntax within double-quoted strings to circumvent security allowlists and achieve code execution. A patch is available from the vendor, and the vulnerability has been documented by VulnCheck with public advisory and GitHub security advisory references.

Command Injection Apple macOS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions before 2026.2.22 allow local attackers with high privileges to execute arbitrary commands through a safeBins allowlist bypass in the compress-program option, enabling unauthorized external program execution despite security constraints. The vulnerability exploits improper validation of the sort tool configuration to circumvent intended access controls. A patch is available to remediate this command injection flaw.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.

RCE Command Injection Xiaoheifs
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability.

Command Injection Apache Nginx
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) via command injection in the adm.cgi sysCMD parameter allows attackers to achieve complete system compromise without authentication or user interaction. The vulnerability stems from insufficient input validation on the web management interface and currently lacks a vendor patch.

Command Injection
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

IBM Sterling B2B Integrator and IBM Sterling File Gateway contain a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the application by sending a specially crafted request. The vulnerability affects multiple versions of both products (6.1.0.0 through 6.2.2.0 ranges) and has a high CVSS score of 7.5 due to its network-based attack vector requiring no authentication or user interaction. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept availability at this time.

IBM Command Injection Sterling B2b Integrator
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

OS command execution in Angeet ES3 KVM allows authenticated administrators to execute arbitrary system commands through improper input validation in the cfg.lua script. An attacker with high-level privileges can leverage this vulnerability to achieve complete system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available for this critical vulnerability.

Command Injection Es3 Kvm
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authenticated attackers can execute arbitrary commands as root on Perle IOLAN STS and SCS terminal servers (firmware <6.0) by injecting shell metacharacters through the restricted shell's 'ps' command. This command injection flaw (CWE-78) allows full operating system compromise after gaining access via Telnet or SSH. VulnCheck reported this vulnerability with vendor patch now available in firmware 6.0. EPSS score of 0.14% (34th percentile) indicates low predicted exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Command Injection Iolan Sts Iolan Scs
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Docker TUS resumable upload handler allows authenticated users to trigger arbitrary `after_upload` hooks unlimited times by supplying a negative value in the Upload-Length header, causing command execution with zero bytes actually uploaded. The integer overflow flaw in the completion logic (CWE-190) bypasses file upload requirements and enables privilege escalation through hook execution. No patch is currently available.

Integer Overflow Command Injection Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

Docker RCE XSS +6
NVD GitHub VulDB
EPSS 1% CVSS 2.0
LOW POC Monitor

OS command injection in Tenda AC8 16.03.50.11 web interface allows authenticated remote attackers to execute arbitrary commands through the wans.policy.list1 parameter in the /cgi-bin/UploadCfg endpoint. Public exploit code exists for this vulnerability and no patch is currently available.

Tenda Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Dell ThinOS 10 versions before 2602_10.0573 contain a command injection flaw that allows local attackers with low privileges to execute arbitrary commands and escalate their access rights. The vulnerability stems from improper sanitization of special elements in user-supplied input, requiring only local access and no user interaction to exploit. No patch is currently available.

Dell Command Injection
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.

Privilege Escalation Nginx Python +3
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Local command injection in hypermodel-labs mcp-server-auto-commit 1.0.0 via the getGitChanges function in index.ts allows authenticated local attackers to execute arbitrary commands with the privileges of the affected process. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-325 series, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands through the /cgi-bin/download_mgr.cgi file's RSS management functions. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323-327L, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 through firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/remote_backup.cgi backup scheduling functions. Public exploit code exists for this vulnerability and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323 through DNS-1550-04 with firmware prior to 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/wizard_mgr.cgi endpoint. Public exploit code is available and no patch is currently available for affected users.

D-Link Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in LB-LINK BL-WR9000 2.4.9 via the /goform/set_wifi endpoint allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code is available for this vulnerability, and no patch has been released by the vendor despite early disclosure notification.

Command Injection Bl Wr9000
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH This Week

OS command injection in OpenLiteSpeed and LSWS Enterprise web servers from LiteSpeed Technologies allows administrative users to execute arbitrary operating system commands on the host. The flaw affects all versions of both products per ENISA EUVD and was reported by JPCERT/CC via JVN. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.16%, 37th percentile), but the high CVSS 4.0 score (8.6) reflects full confidentiality, integrity, and availability impact on the underlying host.

Command Injection Openlitespeed Lsws Enterprise
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-327L, DNS-345 and others) through the time_machine.cgi script allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link NAS devices (DNS-120, DNS-325, DNR-322L, DNS-327L and others) allows authenticated remote attackers to execute arbitrary commands through multiple user and group management CGI functions. Public exploit code exists for this vulnerability, and patches are not currently available. An attacker with valid credentials could leverage this to compromise the NAS system and potentially access or manipulate stored data.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-325, DNS-343, DNR-322L and others) through the /cgi-bin/system_mgr.cgi interface allows authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A security vulnerability in A flaw (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DNS and DNR network attached storage devices allows authenticated remote attackers to execute arbitrary commands through multiple CGI functions in the network management interface. The vulnerability affects numerous models up to firmware version 20260205, and public exploit code is available. An attacker with valid credentials can leverage this to compromise device integrity and potentially access the network.

Command Injection D-Link
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Command injection in bazinga012 mcp_code_executor up to version 0.3.0 allows local attackers with user-level privileges to execute arbitrary commands through the installDependencies function in src/index.ts. Public exploit code exists for this vulnerability, affecting Python and Node.js environments. A patch is available and should be applied to remediate this local privilege escalation risk.

Command Injection Mcp Code Executor
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters.

Command Injection RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote command injection in Quip MCP Server 1.0.0 allows authenticated attackers to execute arbitrary system commands through the setupToolHandlers function in src/index.ts. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. The attack requires valid credentials but can be performed over the network with no user interaction needed.

Command Injection Quip Mcp Server
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.

Command Injection RCE Code Injection +1
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC This Week

Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. The vendor has not responded to disclosure attempts, leaving systems unpatched.

Command Injection PHP
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.

Command Injection Wl Wn578w2
NVD VulDB GitHub
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Critical command injection vulnerability in Wavlink WL-WN579A3 wireless router firmware version 220323, allowing unauthenticated remote attackers to execute arbitrary commands via the SetName/GuestWifi functions in /cgi-bin/wireless.cgi. A public proof-of-concept exploit is available, and while a vendor patch exists, the vulnerability has not yet been added to CISA's KEV catalog despite its high severity (CVSS 9.8).

Command Injection Wl Wn579a3
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization +2
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated attackers can achieve root-level command execution on TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 routers by uploading a malicious configuration file through the import function, exploiting improper input validation in the port-trigger processing logic. Successful exploitation grants complete control over the affected device, allowing full compromise of the router and any connected network. A patch is available for this high-severity vulnerability.

TP-Link Command Injection Tl Wr802n V4 +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

CVE-2026-26133 is an AI command injection vulnerability in Microsoft 365 Copilot and multiple Microsoft mobile/desktop applications that allows remote attackers to disclose sensitive information through crafted AI prompts. The vulnerability affects numerous Microsoft products across iOS, Android, and macOS platforms, requires user interaction, and has a patch available from Microsoft with no current evidence of active exploitation (not in KEV).

Command Injection Microsoft 365 Copilot For Android Microsoft 365 Copilot For Ios +18
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Command injection RCE in claude-hovercraft tool. EPSS 1.3%.

Command Injection RCE AI / ML +1
NVD
Prev Page 13 of 87 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy