Command Injection

Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execute arbitrary commands during cloud deployment, enabling supply chain attacks, credential exfiltration, and infrastructure compromise. CVSS 7.8 score reflects local attack vector requiring user interaction, but real-world impact targets cloud CI/CD infrastructure. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis.

Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.

Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.

Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash commands with root privileges inside the application container by exploiting public webhook endpoints that trigger automation workflows. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78) and requires no authentication, though the CVSS complexity is rated high (AC:H). A vendor-released patch is available in version 3.33.4, with the fix publicly documented in GitHub pull request #18238 and commit f0c731b4.

Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.

Command injection in pymetasploit3 Python library (versions ≤1.0.6) allows unauthenticated remote attackers to execute arbitrary Metasploit console commands by injecting newline characters into module options like RHOSTS. With a critical CVSS 9.3 score and no public exploit identified at time of analysis, this vulnerability poses significant risk to environments using this library for automated penetration testing workflows. The flaw enables attackers to break command structure in console.run_module_with_output() calls, potentially manipulating Metasploit sessions and executing unintended security operations.

Electron's moveToApplicationsFolder() API on macOS improperly sanitizes application bundle paths in AppleScript fallback code, allowing arbitrary AppleScript execution when a user accepts a move-to-Applications prompt on a system with a crafted path. Remote code execution is possible if an attacker can control the installation path or launch context of an Electron application; however, this requires user interaction (accepting the move prompt) and is limited to local attack surface. No public exploit code or active exploitation has been identified. CVSS 6.5 reflects moderate risk due to local-only attack vector and user interaction requirement, though the impact (code execution) is severe.

Remote authenticated OS command injection in TrendNet TEW-657BRM 1.00.1 router via the vpn_drop function in /setup.cgi allows low-privileged attackers to execute arbitrary commands with limited impact on system confidentiality, integrity, and availability. The vendor confirmed the product reached end-of-life on June 23, 2011, and will not provide support or patches. Public exploit code exists, but this vulnerability affects only discontinued hardware no longer receiving vendor maintenance.

Remote authenticated command injection in TrendNet TEW-657BRM 1.00.1 allows manipulation of the policy_name parameter in /setup.cgi vpn_connect function to achieve operating system command execution with limited impact. The affected router has been end-of-life since June 2011 and is no longer supported by the vendor; however, publicly available exploit code exists and the vulnerability demonstrates real command injection capability despite the legacy product status.

OS command injection in Trendnet TEW-657BRM 1.00.1 ping_test function allows authenticated remote attackers to execute arbitrary commands via manipulation of the c4_IPAddr parameter in /setup.cgi. Publicly available exploit code exists. The device has been end-of-life since June 2011 and is no longer supported by the vendor, making patching infeasible for affected users.

Remote code execution via OS command injection in TrendNet TEW-657BRM 1.00.1 allows authenticated attackers to execute arbitrary commands through the pcdb_list parameter in /setup.cgi. The affected device has been end-of-life since June 2011 with no vendor support; publicly available exploit code exists but real-world impact is limited to legacy, unsupported hardware.

OS command injection in TrendNet TEW-657BRM 1.00.1 router allows authenticated remote attackers to execute arbitrary commands via manipulation of the wl_enrolee_pin parameter in the /setup.cgi add_wps_client function. The vendor discontinued this product in June 2011 and provides no support; publicly available exploit code exists but real-world risk is minimal given the product's 14+ year obsolescence and the authentication requirement.

Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_smtp.cgi. The vulnerability stems from incomplete regular expression validation enabling Perl open() injection. With CVSS 8.7 severity and a low attack complexity (AC:L), this represents a critical post-authentication compromise vector. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for exploit development by threat actors with valid credentials.

Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbitrary operating system commands through command injection in the logs_openvpn.cgi DATE parameter. The vulnerability stems from inadequate input validation in a Perl open() call, enabling attackers to break out of intended file path operations. CVSS 8.7 reflects the severe impact (complete system compromise) despite requiring authentication. EPSS and KEV data not provided; no public exploit identified at time of analysis, though the technical details disclosed suggest exploitation development is straightforward for authenticated attackers.

Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to execute arbitrary OS commands via command injection in the DATE parameter of /cgi-bin/logs_log.cgi. The vulnerability stems from incomplete regular expression validation in Perl open() file path handling. No public exploit identified at time of analysis, though CVSS 8.7 severity reflects high potential impact across confidentiality, integrity, and availability. EPSS data not provided; exploitation requires network access with low-privilege authentication but no user interaction.

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS commands with firewall appliance privileges via command injection in the DATE parameter of /cgi-bin/logs_ids.cgi. The vulnerability stems from incomplete regular expression validation before passing user input to Perl's open() function. CVSS score of 8.7 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No CISA KEV listing or public exploit code identified at time of analysis, though VulnCheck public disclosure increases weaponization risk for organizations using this legacy firewall appliance.

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_firewall.cgi. The vulnerability stems from inadequate regular expression validation that fails to prevent command injection in Perl open() calls. Authentication is required (PR:L), but once accessed, attackers gain high-impact control over confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for weaponization. EPSS data not available for this recent CVE.

Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_clamav.cgi. The vulnerability stems from incomplete input validation before passing user-controlled data to Perl's open() function, enabling command injection. With CVSS 8.7 (High severity) and network-based exploitation requiring only low-privilege authentication, this represents a significant post-authentication attack surface. No public exploit identified at time of analysis, though the technical details provided enable reproduction.

Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through the DATE parameter in /cgi-bin/logs_proxy.cgi due to incomplete input validation in Perl open() calls. Attack requires only low-privilege authentication (CVSS PR:L) with network access and no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide a clear exploitation path for threat actors.

Command injection in Tenda G103 1.0.0.5 allows high-privileged remote attackers to execute arbitrary commands via the lanIp parameter in the action_set_system_settings function of system.lua. The vulnerability requires administrative credentials (PR:H) but has publicly available exploit code and impacts system confidentiality, integrity, and availability. CVSS score 5.1 reflects the elevated privilege requirement despite network-based attack vector.

Command injection in Tenda G103 1.0.0.5 setting handler allows high-privilege remote attackers to execute arbitrary commands via manipulation of multiple GPON authentication parameters (authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, usVlanPriority) in the gpon.lua component. Publicly available exploit code exists, though the CVSS:3.1/AV:N/AC:L/PR:H vector indicates attacks require high administrative privileges and deliver limited impact (confidentiality, integrity, availability each L). This is a realistic but constrained threat: exploitation requires authenticated admin-level access to a device already on the network.

Remote command injection in DefaultFuction Content-Management-System 1.0 allows unauthenticated attackers to execute arbitrary OS commands via the host parameter in /admin/tools.php. The flaw has a publicly available exploit (POC published on GitHub) and is exploitable over the network with low attack complexity. EPSS data not available, not listed in CISA KEV. CVSS 7.3 reflects network-accessible, unauthenticated command injection with potential for confidentiality, integrity, and availability compromise.

Progress Flowmon versions prior to 12.5.8 allow authenticated low-privileged users to execute arbitrary commands on the server by crafting malicious requests during the report generation process. The vulnerability stems from improper input validation in the report generation functionality, enabling command injection attacks. While no CVSS score or public exploit code has been disclosed at time of analysis, the direct path to remote code execution via an authenticated user represents a significant risk to Flowmon deployments.

Command injection in efforthye fast-filesystem-mcp up to version 3.5.1 allows authenticated remote attackers to execute arbitrary system commands via the handleGetDiskUsage function in src/index.ts. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code and no vendor patch released despite early notification through issue tracking. Exploitation requires valid authentication credentials but carries low attack complexity.

Remote code execution in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows high-privileged authenticated attackers to achieve full system compromise through command injection in the generateSrpArray function. Exploitation requires the attacker to first write arbitrary data to the user table via another vulnerability, establishing a chained attack scenario. No public exploit identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once database write access is obtained.

Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.

Command injection in PraisonAI's SubprocessSandbox allows authenticated local users to bypass all sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) and execute arbitrary OS commands. The vulnerability stems from shell=True usage combined with inadequate blocklist filtering that omits 'sh' and 'bash' executables, enabling trivial escape via 'sh -c' wrapper. CVSS 8.8 (High) reflects scope change and complete CIA triad compromise. No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept code. EPSS data not available for this recent CVE. Critical for deployments using PraisonAI's sandbox feature with untrusted agent code or exposed to prompt injection attacks.

Command injection in KubeAI Ollama model controller allows Kubernetes users with Model CRD write permissions to execute arbitrary shell commands inside model server pods. The vulnerability stems from unsanitized URL components (model ref and query parameters) being interpolated into bash startup probe scripts. With CVSS 8.7 (AV:N/AC:L/PR:H/UI:N/S:C), this represents a significant privilege escalation risk in multi-tenant clusters where Model creation is delegated to non-admin users. No public exploit identified at time of analysis, though detailed proof-of-concept payloads are documented in the GitHub advisory.

Arbitrary OS command execution in PraisonAI (Python package) versions prior to 4.5.69 allows remote unauthenticated attackers to execute commands as the process user via the unsanitized `--mcp` CLI argument. The vulnerability stems from passing user-controlled input directly to `shlex.split()` and `anyio.open_process()` without validation. CVSS 9.8 (Critical). Vendor-released patch available in version 4.5.69 (commit 47bff65). No public exploit code independently confirmed beyond the GitHub advisory PoC, and not listed in CISA KEV at time of analysis.

Command injection in PraisonAI's run_python() function allows authenticated local attackers to execute arbitrary operating system commands with the privileges of the application process. The vulnerability stems from incomplete input sanitization that fails to escape shell metacharacters ($() and backticks) before passing user-controlled code to subprocess.run() with shell=True. Attackers with low-privilege local access can exploit this to achieve full system compromise (confidentiality, integrity, and availability impact rated High). Proof-of-concept code demonstrates successful command injection via the praisonaiagents Python package. No active exploitation confirmed via CISA KEV at time of analysis, but publicly available exploit code exists in the GitHub security advisory.

Critical sandbox escape in praisonaiagents Python library allows remote unauthenticated attackers to execute arbitrary OS commands by exploiting a type-checking flaw in the _safe_getattr wrapper. The vulnerability affects pkg:pip/praisonaiagents and carries a maximum CVSS 10.0 score with network attack vector, no authentication required, and changed scope impact. Deployments using default autonomous modes (PRAISONAI_AUTO_APPROVE=true) execute attacker code silently without human confirmation, enabling indirect prompt injection attacks against AI agent pipelines. Publicly available exploit code exists with working proof-of-concept demonstrating full OS command execution via subprocess.Popen access.

Command injection vulnerability in IBM Security Verify Access and IBM Verify Identity Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both containerized and non-containerized deployments) allows remote unauthenticated attackers to execute arbitrary commands with lower user privileges. The vulnerability stems from improper validation of user-supplied input (CWE-78). With CVSS 7.3 and network-accessible attack vector requiring no authentication or user interaction, this represents a significant exposure for internet-facing identity and access management infrastructure. No public exploit identified at time of analysis, though EPSS data not provided. Vendor patch available per IBM advisory.

Command injection in Cisco IMC web management interface allows authenticated admin-level attackers to execute arbitrary commands as root through improper input validation. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series platforms. No public exploit code or active exploitation confirmed at time of analysis, but the high-privileged context and root-level impact necessitate swift patching.

Command injection in Cisco Integrated Management Controller (IMC) web interface allows authenticated attackers with read-only privileges to execute arbitrary commands as root. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only low-privilege authentication, with no public exploit identified at time of analysis. EPSS data not provided; CVE-2026 prefix suggests future disclosure.

Command injection in Cisco IMC web-based management interface allows authenticated remote attackers with admin-level privileges to execute arbitrary commands as root. The vulnerability stems from improper input validation in the web interface, enabling attackers to inject crafted commands that execute on the underlying operating system with elevated privileges. While the CVSS score is 6.5 (Medium), Cisco assigned a High Security Impact Rating due to the root-level code execution capability and potential for post-compromise lateral movement or system takeover.

Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like `&` (e.g., `fastmcp install claude-code` with server name `test&calc`), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. The Electron desktop client's configuration (nodeIntegration enabled, contextIsolation disabled) allows the XSS payload to break sandbox boundaries and execute arbitrary commands under the victim's OS account. CVSS 9.0 (Critical) with network attack vector, low complexity, and cross-scope impact. Vendor-released patch: version 3.6.2. No public exploit identified at time of analysis, though technical details are disclosed in GitHub advisory GHSA-rx4h-526q-4458.

Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.

Command injection in Cato Networks Socket (versions prior to 25) enables authenticated administrators with web interface access to execute arbitrary commands as root on the underlying system. The vulnerability requires high-level privileges (CVSS PR:H) but offers complete system compromise once accessed, with network-based attack vector and low complexity. No public exploit identified at time of analysis, though the command injection class (CWE-78) is well-understood and straightforward to weaponize once administrative credentials are obtained.

Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).

Remote command injection in TRENDnet TEW-713RE firmware up to version 1.02 allows authenticated remote attackers to execute arbitrary commands via the admuser parameter in the /goform/setSysAdm endpoint. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, leaving all affected devices without a vendor-released patch.

Command injection in TRENDnet TEW-713RE firmware up to version 1.02 allows authenticated remote attackers to execute arbitrary commands via manipulation of the dest parameter in the /goform/addRouting function. The vulnerability has a CVSS score of 6.3 and publicly available exploit code exists; the vendor has not responded to early disclosure attempts, leaving affected devices without an official patch.

Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the vlanPriLan3 parameter in the setIptvCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and carries moderate severity (CVSS 6.3) with confirmed exploitability signals (EPSS P/E indicator). Successful exploitation grants an authenticated attacker the ability to manipulate VLAN priority settings and potentially gain code execution on the affected router.

Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via manipulation of the rxRate parameter in the setWiFiBasicCfg function at /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, making it a moderate-priority issue for affected device administrators despite requiring prior authentication.

Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to execute arbitrary system commands via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation with low complexity and no authentication required, enabling pre-authentication remote code execution on affected routers.

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands on the server with application privileges. Affects baserCMS versions prior to 5.2.3. Vendor-released patch available in version 5.2.3. CVSS 9.1 reflects high impact with changed scope, though exploitation requires high-privilege administrator access (PR:H). No public exploit identified at time of analysis. EPSS data not provided, but attack complexity is low (AC:L) once admin credentials are obtained.

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system commands during the installation process. The vulnerability exists in the installer component and has been patched in version 5.2.3. Attack complexity appears low given the installer context, though CVSS metrics are unavailable for detailed severity assessment.

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary system commands on the server. The vulnerability affects baserCMS versions prior to 5.2.3, stemming from improper sanitization of user-controlled input passed directly to exec() functions. With CVSS 9.1 (Critical) due to network accessibility, low complexity, and cross-scope impact, this represents a severe risk in multi-tenant or managed hosting environments where administrative boundaries must be enforced. EPSS data not available, no CISA KEV listing confirmed, and authentication requirements (PR:H) limit exploit surface to compromised or malicious administrator accounts.

InfCode's terminal auto-execution module fails to properly validate PowerShell commands due to an ineffective blacklist and lack of semantic parsing, allowing attackers to bypass command filtering through syntax obfuscation. When a user imports a specially crafted file into the IDE, the Agent executes arbitrary PowerShell commands without user confirmation, leading to remote code execution or sensitive data exfiltration. No public exploit code or active exploitation has been confirmed at time of analysis.

Prompt injection attacks in Sixth's automatic terminal command execution feature bypass the model-based safety classification system, allowing attackers to execute arbitrary commands without user approval by wrapping malicious payloads in templates that mislead the AI into treating them as safe operations.

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding literal newline characters within command payloads, forcing the system to execute arbitrary OS commands without user interaction. The vulnerability exploits ineffective string-based parsing that fails to sanitize newline separators, enabling attackers to chain whitelisted commands (e.g., git log) with malicious code that PowerShell interprets as sequential commands. No CVSS score, EPSS data, or KEV confirmation available; exploitation status and real-world impact remain unconfirmed.

Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist protections via shell command substitution syntax ($(…) and backticks) embedded in seemingly benign git commands, achieving code execution without user interaction. The vulnerability exploits inadequate regular expression validation that fails to detect shell metacharacters in command arguments, enabling attackers to inject arbitrary commands that execute with the privileges of the Ridvay Code process.

Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist security controls via shell command substitution syntax (e.g., $(...) or backticks) embedded in command arguments. The vulnerability stems from insufficient regular expression validation that fails to detect command injection payloads, permitting an attacker to execute arbitrary OS commands with automatic approval. No user interaction is required; a crafted command such as git log --grep="$(malicious_command)" will be misidentified as safe and executed by the underlying shell, resulting in remote code execution.

Command injection in Tenda CH22 1.0.0.1 via the FormWriteFacMac function allows authenticated remote attackers to execute arbitrary commands by manipulating the mac parameter in the /goform/WriteFacMac endpoint. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 and requires low-privilege authentication to trigger.

Remote code execution in Vim versions before 9.2.0272 executes arbitrary commands immediately upon opening a malicious file through %{expr} injection in tabpanel components lacking the P_MLE flag. This unauthenticated local attack requires no user interaction beyond opening the file, with CVSS 9.2 (Critical) reflecting scope change and high confidentiality/integrity impact. Vendor-released patch available in version 9.2.0272.

Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.

OS command injection in raine consult-llm-mcp up to version 2.5.3 allows local authenticated users to execute arbitrary system commands via manipulation of git_diff.base_ref or git_diff.files arguments passed to child_process.execSync in src/server.ts. The vulnerability requires local access and valid credentials (privilege level L), has a CVSS score of 5.3 with medium impact on confidentiality, integrity, and availability, and publicly available exploit code exists. Vendor-released patch addresses the issue in version 2.5.4.

Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4.

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the `env_manager=LOCAL` parameter. The `_install_model_dependencies_to_env()` function unsafely interpolates dependency specifications from `python_env.yaml` directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.

Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via manipulation of the pptpPassThru parameter in the setVpnPassCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, making this an actionable threat for affected deployments.

Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via a crafted ip parameter in the setStaticRoute function of /cgi-bin/cstecgi.cgi. The vulnerability carries a CVSS score of 6.3 (medium severity) with public exploit code available, enabling potential compromise of router configuration and data integrity.

Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the enable parameter in the setUPnPCfg function at /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability has a CVSS score of 6.3 with confirmed proof-of-concept demonstrated on GitHub.

Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary system commands via the qos_up_bw parameter in the setSmartQosCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with low attack complexity, and publicly available exploit code exists, though no active exploitation via CISA KEV has been confirmed at time of analysis.

Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the lanIp parameter in the setLanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists for this vulnerability. With a CVSS score of 5.3 and moderate real-world exploitability, this presents a meaningful risk to affected router installations.

Command injection in NSA Ghidra (versions before 12.0.3) executes arbitrary commands when analysts click on maliciously crafted binary comments. Attackers embed @execute annotation directives in binary data (e.g., CFStrings in Mach-O files) that Ghidra auto-extracts and renders as clickable UI elements, bypassing the intended trust boundary for user-authored annotations. No public exploit identified at time of analysis, though the attack vector is well-documented in vendor advisory. EPSS data not available; CVSS 8.8 reflects high impact contingent on user interaction with a weaponized binary file.

Remote code execution with root privileges affects Xiongmai DVR/NVR devices (models AHB7008T-MH-V2 and NBD7024H-P running firmware 4.03.R11) via authenticated OS command injection through the proprietary DVRIP protocol on TCP port 34567. Low-privileged authenticated attackers can inject shell metacharacters into the HostName parameter of NetWork.NetCommon configuration requests, achieving full system compromise due to unsafe system() function usage. CVSS 8.8 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Command injection in njzjz/wenxian GitHub Actions workflow allows unauthenticated remote attackers to execute arbitrary code on CI/CD runners via malicious issue comments. The workflow directly interpolates untrusted user input from issue_comment.body into shell commands without sanitization, enabling attackers to break out of command context and run arbitrary commands. Publicly available exploit code exists with working proof-of-concept demonstrating execution of injected commands. EPSS data not available, but the low attack complexity (AC:L) and unauthenticated access (PR:N) combined with confirmed POC make this a critical risk for any deployment using the vulnerable workflow.

Command injection in code-projects Chamber of Commerce Membership Management System 1.0 allows authenticated remote attackers with high privileges to execute arbitrary commands via manipulation of the mailSubject and mailMessage parameters in the admin/pageMail.php file. The vulnerability has a publicly available exploit and a moderate CVSS score of 4.7, but real-world risk is constrained by the requirement for high-privilege authenticated access.

Command injection in Totolink NR1800X firmware 9.1.0u.6279_B20210910 allows authenticated remote attackers to execute arbitrary commands via the host_time parameter in the NTPSyncWithHost function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with publicly available exploit code, though it requires valid login credentials to exploit. Real-world risk is moderate given the authentication requirement and moderate EPSS probability (indicated by E:P in vector).

OS command injection in DeDeveloper23 codebase-mcp allows local authenticated attackers to execute arbitrary system commands through the getCodebase, getRemoteCodebase, and saveCodebase functions in src/tools/codebase.ts. The vulnerability affects all versions up to commit 3ec749d237dd8eabbeef48657cf917275792fde6, with publicly available exploit code disclosed via GitHub issue #7. Given the local attack requirement and authenticated privilege escalation prerequisite (PR:L), real-world exploitation requires an already-compromised local account with legitimate tool access, though EPSS score of 5.3 reflects moderate practical risk in shared development environments.

Command injection in Totolink A3600R firmware 4.1.2cu.5182_B20201102 allows authenticated remote attackers to execute arbitrary commands via the NoticeUrl parameter in the setNoticeCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (low-to-medium severity) but is confirmed by publicly available exploit code, making it an active threat to deployed devices despite the authentication requirement.

Operating system command injection in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to execute arbitrary commands through the pm2run function in the /rpc endpoint. The vulnerability has a CVSS score of 6.9 with publicly available exploit code, though the vendor has not yet responded to early notification of the issue. This represents a moderate-to-high risk for exposed elecV2P instances due to the combination of remote exploitability, low attack complexity, and confirmed public exploit availability.

OS command injection in kazuph mcp-docs-rag through version 0.5.0 allows local attackers with limited privileges to execute arbitrary commands via the cloneRepository function in src/index.ts. The vulnerability affects the add_git_repository and add_text_file components, with publicly available exploit code demonstrating the attack. No vendor patch has been released despite early notification through a GitHub issue.

Remote code execution in gematik Authenticator (macOS) versions 4.12.0 through 4.15.x enables malicious file-triggered command injection when victims open crafted documents. This CWE-78 OS command injection flaw requires no authentication but depends on user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). No public exploit identified at time of analysis, though EPSS data not available. The authenticator serves German digital health applications, making this a high-impact target for healthcare sector attacks.

Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).

Command injection in Flannel's experimental Extension backend allows authenticated Kubernetes users with node annotation privileges to execute arbitrary commands as root on all flannel nodes in the cluster. This affects Flannel versions prior to 0.28.2 using the Extension backend; other backends (vxlan, wireguard) are unaffected. No public exploit identified at time of analysis, but CVSS 7.5 reflects high impact once node annotation access is achieved. EPSS data not available for this recent CVE (2026 designation appears to be error; actual 2025 advisory).

Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.

Fleet device management software versions prior to 4.81.1 are vulnerable to command injection in the software installer pipeline, enabling remote attackers with high privileges to achieve arbitrary code execution as root on macOS/Linux or SYSTEM on Windows when triggering uninstall operations on crafted software packages. The vulnerability requires high privileges and user interaction but delivers complete system compromise on affected managed hosts. No public exploit code or active exploitation has been identified at time of analysis.

OS command injection in NEC Platforms Aterm wireless router series (models WX1500HP and WX3600HP) permits authenticated network attackers with high privileges to execute arbitrary operating system commands on affected devices. The vulnerability requires user interaction and high attack complexity (CVSS 4.0 score 7.1), with no public exploit identified at time of analysis. NEC Platforms has published a security advisory detailing the issue.

Multiple NEC Aterm wireless router models are vulnerable to OS command injection that enables network-based attackers with high privileges and user interaction to execute arbitrary operating system commands. The vulnerability carries a CVSS 4.0 score of 7.1 and affects at least eight router models in the Aterm series including WG2600HS, WF1200CR, WG1200CR, WG2600HP4, WG2600HM4, WG2600HS2, WX3000HP, and WX3000HP2. No public exploit identified at time of analysis, though exploitation requires both elevated privileges and user interaction which reduces immediate risk.

Remote OS command injection in BUFFALO Wi-Fi router products allows unauthenticated attackers to execute arbitrary operating system commands with user interaction required. The vulnerability affects multiple BUFFALO Wi-Fi router models as confirmed by CPE designation and carries a CVSS score of 8.8 (High severity). While attack complexity is low and no privileges are required, successful exploitation depends on user interaction, reducing immediate attack surface. No public exploit identified at time of analysis, and exploitation probability metrics are not available in provided intelligence.

CodeRider-Kilo's command auto-approval module fails to correctly parse Windows CMD escape sequences (^), allowing attackers to bypass its Git command whitelist and achieve arbitrary remote code execution. The vulnerability exploits a mismatch between the Unix-based shell-quote parser used for validation and the actual Windows CMD interpreter behavior, enabling attackers to inject malicious commands through crafted payloads such as git log ^" & malicious_command ^". No public exploit code or active exploitation has been confirmed at the time of analysis.

A command injection vulnerability in command auto-approval module in Axon Code (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.