Skip to main content

Command Injection

7746 CVEs technique

Monthly

CVE-2025-14276 LOW Monitor

A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: "We already know that issue and on most devices are already solved, also it’s not needed to open the port to outside world so we advised our customer to close it".

PHP Command Injection
NVD VulDB
CVSS 4.0
2.9
EPSS
1.9%
CVE-2025-65363 HIGH This Week

Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the command parameter to the web_action.do endpoint.

Command Injection Rg Ap720 L Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14225 LOW POC Monitor

A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14208 LOW POC Monitor

A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.9%
CVE-2025-14204 LOW Monitor

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
1.5%
CVE-2025-14188 HIGH This Week

A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading the affected component is advised.

Command Injection
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-14184 LOW Monitor

A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
1.3%
CVE-2025-14108 HIGH POC This Week

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-14107 HIGH POC This Week

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-14106 HIGH POC This Week

A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-66644 HIGH KEV PATCH THREAT Act Now

Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device.

Command Injection Arrayos Ag
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2020-36877 CRITICAL POC Act Now

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

PHP Command Injection RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-14094 LOW POC Monitor

A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2025-14093 LOW POC Monitor

A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.4%
CVE-2025-64052 MEDIUM POC This Month

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands.

Command Injection X210 Firmware
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-14092 LOW POC Monitor

A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2025-1910 MEDIUM This Month

The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.This issue affects the Mobile VPN with SSL Client 12.0 up to and including 12.11.2.

Microsoft Command Injection Windows
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-66576 CRITICAL POC Act Now

Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution.

Command Injection RCE Remote Keyboard Desktop
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-66572 MEDIUM POC This Month

Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter.

Command Injection
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2024-58278 HIGH POC This Week

perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized access.

Authentication Bypass Command Injection RCE
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2024-58275 HIGH POC This Week

Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server.

Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
8.7
EPSS
1.2%
CVE-2025-29269 CRITICAL POC Act Now

ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.

Command Injection All Rut22gw Firmware
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-66404 npm MEDIUM POC PATCH This Month

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.

Command Injection Kubernetes Mcp Server Kubernetes
NVD GitHub
CVSS 3.1
6.4
EPSS
0.3%
CVE-2025-66208 CRITICAL PATCH Act Now

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

PHP Command Injection Online Nextcloud
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-66032 npm CRITICAL POC PATCH Act Now

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

Command Injection RCE Claude Code
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-34319 CRITICAL Act Now

TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter.

Command Injection TOTOLINK
NVD
CVSS 4.0
9.3
EPSS
3.4%
CVE-2025-57201 HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.1%
CVE-2025-57199 HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2025-57198 HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2025-57200 MEDIUM POC This Month

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
5.3%
CVE-2025-12744 HIGH POC PATCH This Week

A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.

Docker Command Injection Red Hat Suse
NVD Exploit-DB VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-65657 PHP MEDIUM POC This Month

FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE).

PHP RCE Command Injection File Upload Feehicms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66399 HIGH POC PATCH This Week

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Command Injection Ubuntu Debian Cacti Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-60854 CRITICAL Act Now

A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd.

Command Injection R15 Firmware D-Link
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-11787 HIGH This Week

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions.

Command Injection Sge Plc1000 Firmware Sge Plc50 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-11779 CRITICAL Act Now

Stack-based buffer overflow vulnerability in CircutorSGE-PLC1000/SGE-PLC50 v9.0.2. The 'SetLan' function is invoked when a new configuration is applied. This new configuration function is activated by a management web request, which can be invoked by a user when making changes to the 'index.cgi' web application. The parameters are not being sanitised, which could lead to command injection.

Command Injection Stack Overflow Buffer Overflow Sge Plc1000 Firmware Sge Plc50 Firmware
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2025-66401 npm CRITICAL POC PATCH Act Now

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Command Injection Mcp Watch
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-13800 LOW POC Monitor

A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-13799 LOW POC Monitor

A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-13798 LOW POC Monitor

A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.6%
CVE-2025-13797 LOW POC Monitor

A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
CVSS 4.0
2.1
EPSS
0.6%
CVE-2025-35028 CRITICAL Act Now

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-66219 npm MEDIUM POC This Month

willitmerge is a command line tool to check if pull requests are mergeable. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Willitmerge
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-8890 This Week

A shell command injection vulnerability exists in the network diagnostics tool of SDMC NE6037 routers running firmware versions prior to 7.1.12.2.44, allowing authenticated attackers with administrative access to execute arbitrary commands on the device. The vulnerability is classified as CWE-78 (OS Command Injection) and carries an EPSS score of 0.77% (73rd percentile), indicating a low empirical probability of exploitation in the wild. While no public proof-of-concept or active exploitation in the wild has been documented, the flaw requires administrative authentication via the LAN-only management interface, significantly limiting real-world attack surface.

Command Injection
NVD
EPSS
0.8%
CVE-2025-65202 HIGH POC This Week

TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Tew 657Brm Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-64128 CRITICAL Act Now

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
10.9%
CVE-2025-64127 CRITICAL Act Now

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
10.9%
CVE-2025-64126 CRITICAL Act Now

An OS command injection vulnerability exists due to improper input validation. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
10.9%
CVE-2025-62354 CRITICAL Act Now

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-66261 CRITICAL POC Act Now

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE Mozart Next 100 Firmware Mozart Next 1000 Firmware +20
NVD
CVSS 4.0
9.9
EPSS
0.7%
CVE-2025-66253 CRITICAL POC Act Now

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE Mozart Next 100 Firmware Mozart Next 1000 Firmware +20
NVD
CVSS 4.0
9.9
EPSS
0.7%
CVE-2025-59370 HIGH This Week

A command injection vulnerability has been identified in bwdpi. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 4.0
7.5
EPSS
0.6%
CVE-2025-12742 HIGH This Week

A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection
NVD
CVSS 4.0
7.5
EPSS
0.1%
CVE-2025-63674 MEDIUM POC This Month

An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE A31C Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2018-25126 CRITICAL POC Act Now

Shenzhen TVT Digital Technology Co., Ltd. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection
NVD GitHub
CVSS 4.0
9.3
EPSS
1.3%
CVE-2025-11921 HIGH This Month

iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.10.4. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-13562 MEDIUM POC This Month

A vulnerability was identified in D-Link DIR-852 1.00.cgi. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-64755 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-13087 HIGH This Month

A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection RCE
NVD GitHub
CVSS 4.0
7.5
EPSS
0.4%
CVE-2025-12121 HIGH POC PATCH This Month

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.

Command Injection Lite Xl Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-60738 CRITICAL POC Act Now

An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE Eve X1 Server Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-13442 MEDIUM POC This Month

A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.6%
CVE-2025-63932 HIGH POC This Month

D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection RCE Dir 868l Firmware
NVD GitHub
CVSS 3.1
7.3
EPSS
0.5%
CVE-2025-34335 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.7
EPSS
0.7%
CVE-2025-34334 HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server Interactive Voice Response Tenda
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-37162 MEDIUM This Month

A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Arubaos
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63749 MEDIUM POC This Week

pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pnetlab
NVD GitHub
CVSS 3.1
6.5
EPSS
6.7%
CVE-2025-37163 HIGH This Month

A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Aruba Command Injection Airwave
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-37158 MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Arubaos Cx
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-37157 MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Code Injection Arubaos Cx
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-63258 MEDIUM This Month

A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-58034 HIGH POC KEV THREAT Act Now

Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized commands on the web application firewall.

Command Injection Fortinet Fortiweb
NVD
CVSS 3.1
7.2
EPSS
50.7%
Threat
6.0
CVE-2025-9977 MEDIUM This Month

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi Command Injection
NVD
CVSS 4.0
5.3
EPSS
4.1%
CVE-2025-63604 MEDIUM POC This Week

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Authentication Bypass Python Aws Resources Mcp Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63603 MEDIUM POC This Week

A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Python Mcp Server For Data Exploration
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2025-8693 HIGH This Month

A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Zyxel Dm4200 B0 Firmware Dx3300 T0 Firmware Dx3300 T1 Firmware +51
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-13306 LOW POC Monitor

A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-64756 npm HIGH POC PATCH This Month

Glob matches files using patterns the shell uses. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Command Injection RCE Glob Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-55055 MEDIUM This Month

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Rumpus
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-34322 HIGH This Month

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Log Server
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-63916 HIGH POC This Week

MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Myscreentools
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-9501 CRITICAL This Week

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress PHP Command Injection
NVD WPScan
CVSS 3.1
9.0
EPSS
2.5%
CVE-2025-13284 CRITICAL This Week

ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2025-6945 LOW Monitor

GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Gitlab
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2021-4470 CRITICAL Act Now

TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Command Injection RCE
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2021-4466 HIGH POC This Week

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2025-64444 HIGH This Month

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 4.0
8.6
EPSS
1.2%
CVE-2025-60702 MEDIUM POC This Week

A command injection vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `system.so` binary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A950rg Firmware TOTOLINK
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2025-63406 HIGH POC This Week

An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE Group Office
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-60676 MEDIUM POC This Month

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection Dir 878 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
EPSS 2% CVSS 2.9
LOW Monitor

A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: "We already know that issue and on most devices are already solved, also it’s not needed to open the port to outside world so we advised our customer to close it".

PHP Command Injection
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the command parameter to the web_action.do endpoint.

Command Injection Rg Ap720 L Firmware
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection D-Link
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.

Command Injection D-Link
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW Monitor

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading the affected component is advised.

Command Injection
NVD VulDB
EPSS 1% CVSS 2.1
LOW Monitor

A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Command Injection Q2c Nas Firmware
NVD VulDB
EPSS 3% CVSS 7.2
HIGH KEV PATCH THREAT Act Now

Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device.

Command Injection Arrayos Ag
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

PHP Command Injection RCE
NVD Exploit-DB
EPSS 0% CVSS 2.0
LOW POC Monitor

A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands.

Command Injection X210 Firmware
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.This issue affects the Mobile VPN with SSL Client 12.0 up to and including 12.11.2.

Microsoft Command Injection Windows
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution.

Command Injection RCE Remote Keyboard Desktop
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter.

Command Injection
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized access.

Authentication Bypass Command Injection RCE
NVD Exploit-DB
EPSS 1% CVSS 8.7
HIGH POC This Week

Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server.

Command Injection
NVD GitHub Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.

Command Injection All Rut22gw Firmware
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.

Command Injection Kubernetes Mcp Server Kubernetes
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

PHP Command Injection Online +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

Command Injection RCE Claude Code
NVD GitHub
EPSS 3% CVSS 9.3
CRITICAL Act Now

TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter.

Command Injection TOTOLINK
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
EPSS 5% CVSS 6.5
MEDIUM POC This Month

AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Command Injection Dgm1104 Firmware
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.

Docker Command Injection Red Hat +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE).

PHP RCE Command Injection +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Command Injection Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd.

Command Injection R15 Firmware D-Link
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions.

Command Injection Sge Plc1000 Firmware Sge Plc50 Firmware
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Stack-based buffer overflow vulnerability in CircutorSGE-PLC1000/SGE-PLC50 v9.0.2. The 'SetLan' function is invoked when a new configuration is applied. This new configuration function is activated by a management web request, which can be invoked by a user when making changes to the 'index.cgi' web application. The parameters are not being sanitised, which could lead to command injection.

Command Injection Stack Overflow Buffer Overflow +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Command Injection Mcp Watch
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

willitmerge is a command line tool to check if pull requests are mergeable. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Willitmerge
NVD GitHub
EPSS 1%
This Week

A shell command injection vulnerability exists in the network diagnostics tool of SDMC NE6037 routers running firmware versions prior to 7.1.12.2.44, allowing authenticated attackers with administrative access to execute arbitrary commands on the device. The vulnerability is classified as CWE-78 (OS Command Injection) and carries an EPSS score of 0.77% (73rd percentile), indicating a low empirical probability of exploitation in the wild. While no public proof-of-concept or active exploitation in the wild has been documented, the flaw requires administrative authentication via the LAN-only management interface, significantly limiting real-world attack surface.

Command Injection
NVD
EPSS 0% CVSS 8.0
HIGH POC This Week

TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Tew 657Brm Firmware
NVD GitHub
EPSS 11% CVSS 10.0
CRITICAL Act Now

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
EPSS 11% CVSS 10.0
CRITICAL Act Now

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
EPSS 11% CVSS 10.0
CRITICAL Act Now

An OS command injection vulnerability exists due to improper input validation. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.9% and no vendor patch available.

Command Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE
NVD
EPSS 1% CVSS 9.9
CRITICAL POC Act Now

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE +22
NVD
EPSS 1% CVSS 9.9
CRITICAL POC Act Now

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE +22
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A command injection vulnerability has been identified in bwdpi. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE A31C Firmware
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Shenzhen TVT Digital Technology Co., Ltd. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Month

iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.10.4. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in D-Link DIR-852 1.00.cgi. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Month

A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection RCE
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Month

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.

Command Injection Lite Xl Suse
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE +1
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 7.3
HIGH POC This Month

D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection RCE +1
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server +2
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Fax Server +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Arubaos
NVD
EPSS 7% CVSS 6.5
MEDIUM POC This Week

pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pnetlab
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Month

A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Aruba Command Injection Airwave
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Arubaos Cx
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Code Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 51% 6.0 CVSS 7.2
HIGH POC KEV THREAT Act Now

Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized commands on the web application firewall.

Command Injection Fortinet Fortiweb
NVD
EPSS 4% CVSS 5.3
MEDIUM This Month

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi Command Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Week

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Authentication Bypass +2
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM POC This Week

A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Python Mcp Server For Data Exploration
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Zyxel Dm4200 B0 Firmware +53
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Month

Glob matches files using patterns the shell uses. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

Command Injection RCE Glob +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Rumpus
NVD
EPSS 0% CVSS 8.6
HIGH This Month

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Log Server
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Myscreentools
NVD GitHub
EPSS 2% CVSS 9.0
CRITICAL This Week

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress PHP Command Injection
NVD WPScan
EPSS 1% CVSS 9.3
CRITICAL This Week

ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 3.5
LOW Monitor

GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Gitlab
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

TG8 Firewall contains a pre-authentication remote code execution vulnerability in the runphpcmd.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Command Injection RCE
NVD
EPSS 1% CVSS 8.7
HIGH POC This Week

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE
NVD Exploit-DB
EPSS 1% CVSS 8.6
HIGH This Month

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Week

A command injection vulnerability exists in the TOTOLINK A950RG Router firmware V5.9c.4592_B20191022_ALL within the `system.so` binary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A950rg Firmware TOTOLINK
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection RCE +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection Dir 878 Firmware
NVD GitHub
Prev Page 19 of 87 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy