Skip to main content

Command Injection

7746 CVEs technique

Monthly

CVE-2025-7525 LOW POC Monitor

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument command leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.6%
CVE-2025-7524 LOW POC Monitor

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.6%
CVE-2013-3307 HIGH POC PATCH This Week

CVE-2013-3307 is an OS command injection vulnerability in Linksys wireless routers (E1000, E1200, E3200) that allows unauthenticated remote attackers to execute arbitrary shell commands via unsanitized input in the ping_ip parameter of apply.cgi on port 52000. The vulnerability affects E1000 through v2.1.02, E1200 before v2.0.05, and E3200 through v1.0.04, with a CVSS score of 8.3 reflecting high severity. This vulnerability has known public exploits and represents a critical remote code execution risk on home/small business networking equipment with no authentication required.

Command Injection
NVD Exploit-DB
CVSS 3.1
8.3
EPSS
2.6%
CVE-2025-52988 MEDIUM PATCH This Month

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device. This issue affects: Junos OS:  * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S8, * 22.2 versions before 22.2R3-S6, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S1, * 23.4 versions before 23.4R1-S2, 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S6-EVO, * 23.2-EVO versions before 23.2R2-S1-EVO, * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO.

Juniper Command Injection Junos Junos Os Evolved
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-52994 PHP MEDIUM This Month

gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.

PHP Command Injection
NVD GitHub
CVSS 3.1
4.9
EPSS
0.2%
CVE-2025-50123 HIGH This Week

CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.

RCE Code Injection Privilege Escalation Command Injection
NVD
CVSS 4.0
7.2
EPSS
0.0%
CVE-2025-50121 CRITICAL Act Now

CVE-2025-50121 is an OS command injection vulnerability (CWE-78) in an unspecified product that allows unauthenticated remote attackers to achieve remote code execution by creating a malicious folder through the web interface when HTTP is enabled. With a CVSS 9.5 score and network-based attack vector requiring minimal complexity, this represents a critical vulnerability; however, real-world risk is substantially mitigated by the requirement that HTTP must be explicitly enabled (disabled by default). No active KEV status, EPSS data, or public POC availability has been confirmed from the provided intelligence.

RCE Command Injection
NVD
CVSS 4.0
9.5
EPSS
0.7%
CVE-2025-53637 MEDIUM PATCH This Month

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

RCE Command Injection Meshtastic Firmware
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-7415 LOW POC Monitor

A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection Tenda
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.6%
CVE-2025-7414 LOW POC Monitor

A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manipulation of the argument domain leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection Tenda
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.7%
CVE-2025-34102 CRITICAL POC THREAT Emergency

CryptoLog PHP edition (discontinued since 2009) contains a chained SQL injection and command injection vulnerability. An unauthenticated attacker can first bypass authentication via SQLi in login.php, then exploit command injection to gain shell access as the web server user.

PHP RCE Command Injection SQLi Authentication Bypass
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
60.0%
Threat
5.2
CVE-2025-34101 CRITICAL POC THREAT Emergency

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/action API endpoint. The checkStreamUrl method passes the VIDEO parameter directly to cmd.exe without sanitization, enabling remote code execution on the media server.

Microsoft Command Injection Windows
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
53.9%
Threat
5.0
CVE-2025-34099 CRITICAL POC THREAT Emergency

VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.

PHP Command Injection
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
20.0%
Threat
4.0
CVE-2025-34095 CRITICAL POC THREAT Emergency

Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.

Microsoft Command Injection Windows
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
45.4%
Threat
4.7
CVE-2025-34093 HIGH POC PATCH THREAT Act Now

Polycom HDX Series video conferencing systems contain an authenticated command injection in the LAN traceroute function. The devcmds console accessible over Telnet allows injection of shell metacharacters through the traceroute target parameter, enabling arbitrary command execution on the conferencing endpoint.

RCE Command Injection
NVD Exploit-DB
CVSS 4.0
7.5
EPSS
46.6%
Threat
4.4
CVE-2025-53542 HIGH PATCH This Week

CVE-2025-53542 is a command injection vulnerability in Headlamp's macOS packaging workflow (codeSign.js) where unsanitized environment variables and config values are passed directly to Node.js execSync() without proper escaping, allowing local attackers to execute arbitrary commands. This affects Headlamp versions prior to 0.31.1, and while no active KEV or confirmed public POC is mentioned in available data, the vulnerability has a moderate-to-high CVSS score of 7.7 with user interaction required, making it a realistic threat in CI/CD and development environments.

Node.js Command Injection RCE macOS Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-27613 LOW PATCH Monitor

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Command Injection Ubuntu Debian
NVD GitHub
CVSS 3.1
3.6
EPSS
0.0%
CVE-2025-7407 LOW POC Monitor

A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Netgear
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.8%
CVE-2025-6514 npm CRITICAL POC PATCH Act Now

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Command Injection
NVD GitHub
CVSS 3.1
9.6
EPSS
1.2%
CVE-2025-3499 CRITICAL PATCH Act Now

The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system.

Command Injection
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-49537 HIGH This Week

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

RCE Command Injection Coldfusion
NVD
CVSS 3.1
7.9
EPSS
0.1%
CVE-2025-7192 LOW POC Monitor

A vulnerability was found in D-Link DIR-645 up to 1.05B01 and classified as critical. This issue affects the function ssdpcgi_main of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-53355 npm HIGH PATCH This Week

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. This vulnerability is fixed in 2.5.0.

RCE Command Injection Kubernetes
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-37102 HIGH This Week

An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. A successful exploitation could allow a remote attacker with elevated privileges to execute arbitrary commands on the underlying operating system as a highly privileged user.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-6771 HIGH Act Now

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

RCE Command Injection Ivanti Endpoint Manager Mobile
NVD
CVSS 3.1
7.2
EPSS
20.8%
CVE-2025-6770 HIGH Act Now

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution

RCE Command Injection Ivanti Endpoint Manager Mobile
NVD
CVSS 3.1
7.2
EPSS
12.0%
CVE-2025-53372 npm HIGH PATCH This Week

node-code-sandbox-mcp is a Node.js-based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0.

RCE Node.js Command Injection Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-25269 HIGH PATCH This Week

An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation.

Command Injection Privilege Escalation Charx Sec 3000 Firmware Charx Sec 3150 Firmware Charx Sec 3100 Firmware +1
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-7154 LOW POC Monitor

A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. Affected by this issue is the function sub_41A0F8 of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Hostname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.0%
CVE-2025-20319 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

Command Injection Splunk
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-53376 HIGH PATCH This Week

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.

Command Injection Docker Dokploy
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-3705 MEDIUM This Month

A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.

Command Injection
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-3626 CRITICAL Act Now

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.

Command Injection
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-48501 CRITICAL Act Now

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

Command Injection
NVD
CVSS 3.0
9.8
EPSS
0.2%
CVE-2025-7145 HIGH This Week

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-7097 HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Comodo Internet Security Premium 12.3.4.8162. This issue affects some unknown processing of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation of the argument binary/params leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection Internet Security
NVD VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2025-7083 LOW POC Monitor

A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.1%
CVE-2025-7082 LOW POC Monitor

A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker/so we can control the wan_ipaddr/wan_netmask/wan_gateway/wl_ssid leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.1%
CVE-2025-7081 LOW POC Monitor

A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.1%
CVE-2025-47228 MEDIUM POC This Month

In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests.

Command Injection
NVD GitHub Exploit-DB
CVSS 3.1
6.7
EPSS
5.2%
CVE-2025-34088 HIGH POC THREAT Act Now

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

PHP RCE Command Injection Pandora Fms
NVD GitHub Exploit-DB
CVSS 4.0
8.6
EPSS
49.7%
Threat
4.7
CVE-2025-34087 HIGH POC THREAT Act Now

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Command Injection Pi Hole
NVD GitHub
CVSS 3.1
8.8
EPSS
46.7%
Threat
4.7
CVE-2025-34082 CRITICAL POC PATCH THREAT Act Now

A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to improper input sanitization in the handling of specially crafted PROXYCMD commands on TCP ports 30022 and 5900. An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges. NOTE: IGEL OS v10.x has reached end-of-life (EOL) status.

RCE Command Injection
NVD
CVSS 4.0
9.3
EPSS
46.0%
Threat
4.7
CVE-2025-20308 MEDIUM This Month

A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin user and executing a specific command with crafted parameters. A successful exploit could allow the attacker to elevate privileges from the spacesadmin user and execute arbitrary commands on the underlying operating system as root.

Cisco Command Injection Spaces Connector
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-34073 CRITICAL POC THREAT Emergency

Maltrail network traffic analysis tool versions through 0.54 contain an unauthenticated OS command injection via the username parameter in POST requests to the /login endpoint. The input is passed to subprocess.check_output() without sanitization, enabling remote code execution on the security monitoring server.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
54.2%
Threat
5.1
CVE-2025-24333 MEDIUM This Month

Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file.

Command Injection
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-53104 CRITICAL Act Now

gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.

Command Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-53107 npm HIGH PATCH This Week

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

RCE Command Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-53100 HIGH PATCH This Week

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

Command Injection
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-34056 CRITICAL POC Act Now

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.

Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2025-34055 CRITICAL POC Act Now

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
9.4
EPSS
0.4%
CVE-2025-34054 CRITICAL POC Act Now

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.

Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2025-53095 CRITICAL PATCH Act Now

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

CSRF Command Injection Sunshine
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-52995 Go HIGH POC PATCH This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.

Command Injection Filebrowser Suse
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-45931 CRITICAL POC Act Now

An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file

RCE Command Injection Dir 816 Firmware D-Link
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2025-26074 Maven CRITICAL PATCH Act Now

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

Java Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-6899 LOW POC Monitor

A vulnerability, which was classified as critical, was found in D-Link DI-7300G+ and DI-8200G 17.12.20A1/19.12.25A1. This affects an unknown part of the file msp_info.htm. The manipulation of the argument flag/cmd/iface leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-6898 LOW Monitor

A vulnerability, which was classified as critical, has been found in D-Link DI-7300G+ 19.12.25A1. Affected by this issue is some unknown functionality of the file in proxy_client.asp. The manipulation of the argument proxy_srv/proxy_lanport/proxy_lanip/proxy_srvport leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6897 LOW Monitor

A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-6896 LOW POC Monitor

A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2023-28906 HIGH This Week

A command injection in the networking service of the MIB3 infotainment allows an attacker already presenting in the system to escalate privileges and obtain administrative access to the system. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources.

Command Injection
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-53098 HIGH PATCH This Week

Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

Command Injection Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-6775 LOW POC PATCH Monitor

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

Python Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-6522 MEDIUM This Month

Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string.

Command Injection
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-5306 CRITICAL POC THREAT Emergency

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

Command Injection Pandora Fms
NVD
CVSS 3.1
9.8
EPSS
44.2%
Threat
4.8
CVE-2025-36529 HIGH This Week

An OS command injection issue exists in multiple versions of TB-eye network recorders and AHD recorders. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who is logging in to the device.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-52904 Go HIGH POC PATCH GHSA This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on pull request 5199.

Command Injection
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-52903 Go HIGH POC PATCH GHSA This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199.

RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.4%
CVE-2025-34049 CRITICAL POC Act Now

An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

RCE Command Injection
NVD Exploit-DB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-34044 CRITICAL Act Now

A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.

PHP Command Injection
NVD GitHub
CVSS 4.0
9.4
EPSS
0.3%
CVE-2025-34043 CRITICAL POC Act Now

A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

RCE Command Injection
NVD
CVSS 4.0
10.0
EPSS
0.6%
CVE-2025-34042 CRITICAL Act Now

An authenticated command injection vulnerability exists in the Beward N100 IP Camera firmware version M2.1.6.04C014 via the ServerName and TimeZone parameters in the servetest CGI page. An attacker with access to the web interface can inject arbitrary system commands into these parameters, which are unsafely embedded into backend system calls without proper input sanitization. Successful exploitation results in remote code execution with root privileges. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-02 UTC.

RCE Command Injection
NVD
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-52573 npm MEDIUM PATCH This Month

iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Version 1.3.3 contains a patch for the issue.

Node.js Apple Command Injection iOS
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-6562 HIGH This Week

Certain hybrid DVR models (HBF-09KD and HBF-16NK) from Hunt Electronic have an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary OS commands and execute them on the device.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5459 HIGH PATCH This Week

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

Command Injection Debian Puppet Enterprise
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-6621 LOW POC Monitor

A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.5%
CVE-2025-6620 LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.5%
CVE-2025-6619 LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.5%
CVE-2025-6618 LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.5%
CVE-2025-52483 CRITICAL PATCH Act Now

Registrator, a GitHub app automating Julia package registration, contains critical shell injection and argument injection vulnerabilities in versions prior to 1.9.5 that can be exploited through malicious or injected clone URLs returned by GitHub. An unauthenticated remote attacker can achieve arbitrary code execution on systems running vulnerable versions with no user interaction required. No public exploits are confirmed, but the vulnerability is trivial to exploit given the direct code paths involved.

Command Injection RCE Code Injection Github Python +1
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-48890 CRITICAL Act Now

CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.

Command Injection RCE IoT Netgear
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2025-43879 CRITICAL Act Now

CVE-2025-43879 is a critical OS command injection vulnerability in Whirlpool refrigerator models WRH-733GBK and WRH-733GWH that allows unauthenticated remote attackers to execute arbitrary operating system commands via the telnet function. With a CVSS 9.8 score and network-accessible attack vector requiring no authentication or user interaction, this vulnerability poses immediate risk to any connected affected appliance. The vulnerability's presence in IoT/appliance firmware suggests potential for botnet recruitment, lateral network movement, or data exfiltration from vulnerable devices.

Command Injection
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2025-41427 HIGH This Week

A command injection vulnerability in Connection Diagnostics page (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Command Injection TP-Link RCE Authentication Bypass
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2025-6559 CRITICAL Act Now

CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-34041 CRITICAL Act Now

An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Command Injection
NVD
CVSS 4.0
10.0
EPSS
2.3%
CVE-2025-34037 CRITICAL POC PATCH THREAT Act Now

Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.

RCE Command Injection
NVD Exploit-DB VulDB
CVSS 4.0
10.0
EPSS
81.5%
Threat
5.9
CVE-2025-34036 CRITICAL POC THREAT Emergency

White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.

Command Injection RCE Authentication Bypass Td 2932td Hp Firmware Td 2108ts Cl Firmware +28
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
10.9%
CVE-2025-34035 CRITICAL POC Act Now

CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.

Command Injection Esr900 Firmware Esr1200 Firmware Esr350 Firmware Esr300 Firmware +3
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
7.6%
CVE-2025-34033 HIGH POC This Week

CVE-2025-34033 is an OS command injection vulnerability in Blue Angel Software Suite's webctrl.cgi script that allows authenticated attackers to execute arbitrary commands as root via unsanitized input to the ping_addr parameter. The vulnerability affects embedded Linux devices running the Blue Angel Software Suite, and successful exploitation grants complete system compromise with command output visible in the web interface. Active exploitation was confirmed by Shadowserver Foundation on 2025-01-26, with CVSS 8.8 severity and root-level code execution impact.

Command Injection Blue Angel Software Suite
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-2172 MEDIUM This Month

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

Command Injection
NVD GitHub
CVSS 4.0
6.6
EPSS
0.3%
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument command leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 3% CVSS 8.3
HIGH POC PATCH This Week

CVE-2013-3307 is an OS command injection vulnerability in Linksys wireless routers (E1000, E1200, E3200) that allows unauthenticated remote attackers to execute arbitrary shell commands via unsanitized input in the ping_ip parameter of apply.cgi on port 52000. The vulnerability affects E1000 through v2.1.02, E1200 before v2.0.05, and E3200 through v1.0.04, with a CVSS score of 8.3 reflecting high severity. This vulnerability has known public exploits and represents a critical remote code execution risk on home/small business networking equipment with no authentication required.

Command Injection
NVD Exploit-DB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device. This issue affects: Junos OS:  * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S8, * 22.2 versions before 22.2R3-S6, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S1, * 23.4 versions before 23.4R1-S2, 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S6-EVO, * 23.2-EVO versions before 23.2R2-S1-EVO, * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO.

Juniper Command Injection Junos +1
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.

PHP Command Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.

RCE Code Injection Privilege Escalation +1
NVD
EPSS 1% CVSS 9.5
CRITICAL Act Now

CVE-2025-50121 is an OS command injection vulnerability (CWE-78) in an unspecified product that allows unauthenticated remote attackers to achieve remote code execution by creating a malicious folder through the web interface when HTTP is enabled. With a CVSS 9.5 score and network-based attack vector requiring minimal complexity, this represents a critical vulnerability; however, real-world risk is substantially mitigated by the requirement that HTTP must be explicitly enabled (disabled by default). No active KEV status, EPSS data, or public POC availability has been confirmed from the provided intelligence.

RCE Command Injection
NVD
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

RCE Command Injection Meshtastic Firmware
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection Tenda
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manipulation of the argument domain leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection Tenda
NVD GitHub VulDB
EPSS 60% 5.2 CVSS 9.3
CRITICAL POC THREAT Emergency

CryptoLog PHP edition (discontinued since 2009) contains a chained SQL injection and command injection vulnerability. An unauthenticated attacker can first bypass authentication via SQLi in login.php, then exploit command injection to gain shell access as the web server user.

PHP RCE Command Injection +2
NVD Exploit-DB
EPSS 54% 5.0 CVSS 9.3
CRITICAL POC THREAT Emergency

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/action API endpoint. The checkStreamUrl method passes the VIDEO parameter directly to cmd.exe without sanitization, enabling remote code execution on the media server.

Microsoft Command Injection Windows
NVD Exploit-DB
EPSS 20% 4.0 CVSS 9.3
CRITICAL POC THREAT Emergency

VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.

PHP Command Injection
NVD Exploit-DB
EPSS 45% 4.7 CVSS 9.3
CRITICAL POC THREAT Emergency

Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.

Microsoft Command Injection Windows
NVD Exploit-DB
EPSS 47% 4.4 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Polycom HDX Series video conferencing systems contain an authenticated command injection in the LAN traceroute function. The devcmds console accessible over Telnet allows injection of shell metacharacters through the traceroute target parameter, enabling arbitrary command execution on the conferencing endpoint.

RCE Command Injection
NVD Exploit-DB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

CVE-2025-53542 is a command injection vulnerability in Headlamp's macOS packaging workflow (codeSign.js) where unsanitized environment variables and config values are passed directly to Node.js execSync() without proper escaping, allowing local attackers to execute arbitrary commands. This affects Headlamp versions prior to 0.31.1, and while no active KEV or confirmed public POC is mentioned in available data, the vulnerability has a moderate-to-high CVSS score of 7.7 with user interaction required, making it a realistic threat in CI/CD and development environments.

Node.js Command Injection RCE +2
NVD GitHub
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.

Command Injection Ubuntu Debian
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Netgear
NVD GitHub VulDB
EPSS 1% CVSS 9.6
CRITICAL POC PATCH Act Now

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Command Injection
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system.

Command Injection
NVD
EPSS 0% CVSS 7.9
HIGH This Week

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

RCE Command Injection Coldfusion
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in D-Link DIR-645 up to 1.05B01 and classified as critical. This issue affects the function ssdpcgi_main of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection D-Link
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. This vulnerability is fixed in 2.5.0.

RCE Command Injection Kubernetes
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. A successful exploitation could allow a remote attacker with elevated privileges to execute arbitrary commands on the underlying operating system as a highly privileged user.

Command Injection
NVD
EPSS 21% CVSS 7.2
HIGH Act Now

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

RCE Command Injection Ivanti +1
NVD
EPSS 12% CVSS 7.2
HIGH Act Now

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution

RCE Command Injection Ivanti +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

node-code-sandbox-mcp is a Node.js-based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation.

Command Injection Privilege Escalation Charx Sec 3000 Firmware +3
NVD
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. Affected by this issue is the function sub_41A0F8 of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Hostname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information.

Command Injection Splunk
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.

Command Injection Docker Dokploy
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.

Command Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running.

Command Injection
NVD
EPSS 0% CVSS 7.2
HIGH This Week

ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host.

Command Injection
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Comodo Internet Security Premium 12.3.4.8162. This issue affects some unknown processing of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation of the argument binary/params leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection Internet Security
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker/so we can control the wan_ipaddr/wan_netmask/wan_gateway/wl_ssid leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 5% CVSS 6.7
MEDIUM POC This Month

In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests.

Command Injection
NVD GitHub Exploit-DB
EPSS 50% 4.7 CVSS 8.6
HIGH POC THREAT Act Now

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

PHP RCE Command Injection +1
NVD GitHub Exploit-DB
EPSS 47% 4.7 CVSS 8.8
HIGH POC THREAT Act Now

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Command Injection Pi Hole
NVD GitHub
EPSS 46% 4.7 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to improper input sanitization in the handling of specially crafted PROXYCMD commands on TCP ports 30022 and 5900. An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges. NOTE: IGEL OS v10.x has reached end-of-life (EOL) status.

RCE Command Injection
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin user and executing a specific command with crafted parameters. A successful exploit could allow the attacker to elevate privileges from the spacesadmin user and execute arbitrary commands on the underlying operating system as root.

Cisco Command Injection Spaces Connector
NVD
EPSS 54% 5.1 CVSS 10.0
CRITICAL POC THREAT Emergency

Maltrail network traffic analysis tool versions through 0.54 contain an unauthenticated OS command injection via the username parameter in POST requests to the /login endpoint. The input is passed to subprocess.check_output() without sanitization, enabling remote code execution on the security monitoring server.

Command Injection
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file.

Command Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.

Command Injection
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

RCE Command Injection
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

Command Injection
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC Act Now

An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges.

Command Injection
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.4
CRITICAL POC Act Now

An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user.

Command Injection
NVD GitHub Exploit-DB
EPSS 0% CVSS 10.0
CRITICAL POC Act Now

An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-04 UTC.

Command Injection
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

CSRF Command Injection Sunshine
NVD GitHub
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.

Command Injection Filebrowser Suse
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file

RCE Command Injection Dir 816 Firmware +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

Java Command Injection
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as critical, was found in D-Link DI-7300G+ and DI-8200G 17.12.20A1/19.12.25A1. This affects an unknown part of the file msp_info.htm. The manipulation of the argument flag/cmd/iface leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability, which was classified as critical, has been found in D-Link DI-7300G+ 19.12.25A1. Affected by this issue is some unknown functionality of the file in proxy_client.asp. The manipulation of the argument proxy_srv/proxy_lanport/proxy_lanip/proxy_srvport leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection D-Link
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

A command injection in the networking service of the MIB3 infotainment allows an attacker already presenting in the system to escalate privileges and obtain administrative access to the system. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources.

Command Injection
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

Command Injection Roo Code
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

Python Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string.

Command Injection
NVD
EPSS 44% 4.8 CVSS 9.8
CRITICAL POC THREAT Emergency

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

Command Injection Pandora Fms
NVD
EPSS 0% CVSS 7.2
HIGH This Week

An OS command injection issue exists in multiple versions of TB-eye network recorders and AHD recorders. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who is logging in to the device.

Command Injection
NVD
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on pull request 5199.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199.

RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL POC Act Now

An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

RCE Command Injection
NVD Exploit-DB
EPSS 0% CVSS 9.4
CRITICAL Act Now

A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.

PHP Command Injection
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

RCE Command Injection
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

An authenticated command injection vulnerability exists in the Beward N100 IP Camera firmware version M2.1.6.04C014 via the ServerName and TimeZone parameters in the servetest CGI page. An attacker with access to the web interface can inject arbitrary system commands into these parameters, which are unsafely embedded into backend system calls without proper input sanitization. Successful exploitation results in remote code execution with root privileges. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-02 UTC.

RCE Command Injection
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Version 1.3.3 contains a patch for the issue.

Node.js Apple Command Injection +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Certain hybrid DVR models (HBF-09KD and HBF-16NK) from Hunt Electronic have an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary OS commands and execute them on the device.

Command Injection
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

Command Injection Debian Puppet Enterprise
NVD
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Registrator, a GitHub app automating Julia package registration, contains critical shell injection and argument injection vulnerabilities in versions prior to 1.9.5 that can be exploited through malicious or injected clone URLs returned by GitHub. An unauthenticated remote attacker can achieve arbitrary code execution on systems running vulnerable versions with no user interaction required. No public exploits are confirmed, but the vulnerability is trivial to exploit given the direct code paths involved.

Command Injection RCE Code Injection +3
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.

Command Injection RCE IoT +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

CVE-2025-43879 is a critical OS command injection vulnerability in Whirlpool refrigerator models WRH-733GBK and WRH-733GWH that allows unauthenticated remote attackers to execute arbitrary operating system commands via the telnet function. With a CVSS 9.8 score and network-accessible attack vector requiring no authentication or user interaction, this vulnerability poses immediate risk to any connected affected appliance. The vulnerability's presence in IoT/appliance firmware suggests potential for botnet recruitment, lateral network movement, or data exfiltration from vulnerable devices.

Command Injection
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A command injection vulnerability in Connection Diagnostics page (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Command Injection TP-Link RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.

Command Injection
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Command Injection
NVD
EPSS 81% 5.9 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.

RCE Command Injection
NVD Exploit-DB VulDB
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Emergency

White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.

Command Injection RCE Authentication Bypass +30
NVD Exploit-DB
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.

Command Injection Esr900 Firmware Esr1200 Firmware +5
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

CVE-2025-34033 is an OS command injection vulnerability in Blue Angel Software Suite's webctrl.cgi script that allows authenticated attackers to execute arbitrary commands as root via unsanitized input to the ping_addr parameter. The vulnerability affects embedded Linux devices running the Blue Angel Software Suite, and successful exploitation grants complete system compromise with command output visible in the web interface. Active exploitation was confirmed by Shadowserver Foundation on 2025-01-26, with CVSS 8.8 severity and root-level code execution impact.

Command Injection Blue Angel Software Suite
NVD Exploit-DB
EPSS 0% CVSS 6.6
MEDIUM This Month

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

Command Injection
NVD GitHub
Prev Page 25 of 87 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy