Command Injection
Monthly
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary shell commands via unsanitized gateway address input passed to system() inside libNetSetObj.so. The flaw is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, granting full device compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network services to execute arbitrary shell commands via unsanitised netmask input passed to system() inside libNetSetObj.so. The flawed CNetSetObj::m_F_n_Set_Net_Mask routine is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, yielding code execution in the context of the configuration daemon. No public exploit identified at time of analysis, but the Talos report provides full reverse-engineered detail that materially lowers the barrier to weaponisation.
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the libNetSetObj.so library via the DVRSearch service or Network.cgi endpoint. The flaw stems from unsanitized attacker-controlled IP address input passed directly to system() in CNetSetObj::m_F_n_Set_IP_Addr. No public exploit identified at time of analysis, though Talos Intelligence disclosed the issue with technical detail (TALOS-2026-2379).
Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.
Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious `.mise.toml` is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass `github.credential_command` from untrusted local project config directly to `sh -c` without any trust verification. A working proof-of-concept is confirmed per GHSA-29hf-rm4x-xxph on Docker linux-arm64; no CISA KEV listing at time of analysis, but POC availability elevates practical risk above the moderate CVSS base score.
Arbitrary command execution in mise versions prior to 2026.6.4 allows attacker-controlled repositories to run commands the moment a victim lists or tab-completes a task. The trust gate only fires inside config-file parsers (`mise.toml`, `.tool-versions`), so a repo that ships a `mise-tasks/` (or `.mise/tasks/`) directory without any config file bypasses the prompt entirely, and the Tera `exec()` function registered in the rendering environment fires while tasks are merely enumerated. A public proof-of-concept is included in GHSA-77g9-363w-rccq; no CISA KEV entry exists at time of analysis.
{, } and stripped doubled && but left the single & background operator intact at the same execAsync() sh -c sink. Publicly available exploit code exists (a PHP PoC harness is included in the advisory), but the vulnerability is not in CISA KEV at time of analysis.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Authenticated remote code execution in NetComm NF20MESH routers running firmware R6B031 and earlier allows low-privileged authenticated attackers to gain full root-level OS control via OS command injection. The dalStorage_addUserAccount function unsafely concatenates attacker-supplied JSON username input into a shell command string executed by rut_doSystemAction without sanitization, enabling shell metacharacter injection. No public exploit identified at time of analysis and no CISA KEV listing, but a detailed public advisory from signal11.io documents the attack surface, and a vendor patch (implied R6B032) is available.
Command injection in ImageMagick's SVG decoder (coders/svg.c) lets attackers smuggle arbitrary MVG (Magick Vector Graphics) drawing commands inside an SVG file that execute when the image is rendered, affecting versions before 7.1.2-15 and 6.9.13-40 (and the Magick.NET bindings before 14.10.3). Because ImageMagick frequently processes untrusted, user-uploaded images on servers, a crafted SVG can achieve high-impact abuse of the internal MVG rendering pipeline. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS is low at 0.91% (55th percentile), but SSVC flags exploitation as automatable.
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches.
World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.
OS command injection in Coolify 4.0.0's Image Name Handler allows authenticated remote attackers to execute arbitrary operating system commands by manipulating image name inputs. Coolify is a self-hosted PaaS that orchestrates Docker deployments, making server-side command injection in its image handling pipeline particularly high-impact - the platform typically operates with Docker daemon privileges. Publicly available exploit code exists (CVSS 4.0 E:P, corroborated by a GitHub PoC writeup); no public confirmation of active exploitation is present, and no vendor response to the coordinated disclosure was received.
OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the `destination` parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. The vendor was notified prior to disclosure and did not respond, leaving all known firmware versions without a patch.
Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows network-adjacent authenticated attackers to execute arbitrary OS commands via the `command` argument in POST requests to the `/goform/mp` endpoint. The vulnerability is rooted in insufficient input sanitization in the `mp` form handler, exposing the router's underlying OS to attacker-controlled commands. A public proof-of-concept exploit has been released and the vendor has not responded to disclosure, leaving no patch available - the device remains unmitigated at time of analysis.
Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privilege credentials to execute arbitrary OS commands by embedding shell metacharacters in the `newpass` argument of POST requests to the `/goform/wiz_5in1_redirect` endpoint. A public proof-of-concept exploit exists and is referenced in the VulDB disclosure, making this straightforwardly reproducible. The vendor has not responded to coordinated disclosure, leaving no official patch available - a significant concern for a SOHO network gateway that sits at the perimeter of home and small-office networks.
Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows authenticated remote attackers to execute arbitrary OS commands by manipulating the `interface` argument in POST requests to `/goform/stainfo`. No patch is available - Edimax did not respond to coordinated disclosure - and a public proof-of-concept exploit exists, making this a persistent, unmitigated risk on deployed devices. The vendor-reported CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as unrestricted command injection on embedded router firmware typically enables full system control rather than merely low-severity limited access.
Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privileged web interface access to execute arbitrary OS commands by injecting shell metacharacters into WAN credential parameters submitted via POST to /goform/setWAN. A public proof-of-concept exploit is documented and available, the vendor did not respond to coordinated disclosure, and no patch exists - leaving only compensating controls as mitigation. No public exploit identified at time of analysis in CISA KEV, but the combination of public PoC, zero vendor response, and SOHO device deployment patterns represents materially elevated real-world risk.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. No public exploit identified at time of analysis, though the vendor fix PR ships a proof-of-concept-style regression test; the issue is not listed in CISA KEV and no EPSS score was provided.
Authenticated remote code execution in gin-vue-admin 2.9.1 lets attackers with access to the code-generation and MCP management features inject arbitrary Go source via POST /autoCode/addFunc and trigger a rebuild/restart through POST /autoCode/mcpStart, yielding OS command execution as the application service account. No public exploit identified at time of analysis, and as of publication a patched version is not confirmed; the upstream GHSA-22cv-9jv2-6m62 advisory only documents allowlist-based workarounds.
Shell command injection in pontedilana/php-weasyprint prior to 2.5.1 allows code execution as the PHP process when the WeasyPrint binary path is sourced from configuration, environment variables, or per-tenant settings. The library's buildCommand() inverted the order of escapeshellarg() and is_executable(), turning the 'safe' branch into dead code and passing the raw binary string into Symfony Process::fromShellCommandline(). No public exploit identified at time of analysis, but a PoC for the identical KnpLabs/snappy precursor flaw (GHSA-vpr4-p6fq-85jc) is published and directly applicable.
Authenticated OS command injection in SIMA GmbH Bondix Server through 1.25.7.5 on Linux allows an attacker with configuration write privileges to execute arbitrary operating-system commands by supplying crafted values in the environment and tunnel configuration that are passed unsanitized to server-side scripts. The flaw was reported by NCSC.ch and carries a CVSS 4.0 base score of 8.6 (High); no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as `git *`, `npm *`, or `node *` execute arbitrary shell commands as the orchestrator process. The flaw stems from `SandboxPolicy.isCommandAllowed` glob-matching the entire command string while `ShellExecutor` runs it through `/bin/sh -c`, so shell metacharacters like `;`, `|`, and `$(...)` smuggle additional commands past the sandbox. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis in the wild and no CISA KEV listing.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no public exploit was identified at time of analysis and it is not listed in CISA KEV. Reported by SUSE through GitHub Security Advisory GHSA-mhc6-2gfq-xx62.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to execute arbitrary operating system commands by supplying a malicious IP address parameter that is passed unsanitized to exec(). The flaw was reported by CERT-PL and an upstream fix is available; no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.6 reflects high impact on the vulnerable system with limited subsequent-system effect.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Unauthenticated remote command execution affects InHand Networks IR912 and IR915 industrial cellular routers running firmware V1.0.0.r20042 and earlier, where the file upload function fails to sanitize input and passes attacker-controlled data to a shell context. Successful exploitation yields code execution as root on the device. No public exploit identified at time of analysis, but the CVSS 9.8 rating and network-reachable file upload endpoint make this a high-priority patching target for any operator with these routers exposed to untrusted networks.
Command injection in e107 CMS versions 2.3.5 and earlier allows authenticated low-privilege users to execute arbitrary shell commands as the web server user via the news submission upload flow. The flaw lives in resize_image() where the ImageMagick convert destination path embeds a 6-character slice of the user-controlled news title without shell escaping, letting tab characters and $(...) / backtick expansions reach /bin/sh -c. No public exploit identified at time of analysis, and exploitation requires a specific non-default configuration combination.
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OpenStack Horizon before 25.7.4 embeds project names unsanitized into generated OpenStack RC shell scripts, enabling OS command injection when a victim user downloads and sources that script locally. An attacker with sufficient privileges to create or control a project name can insert shell metacharacters (e.g., backtick sequences, command substitution syntax) that execute arbitrary commands in the victim's local shell environment upon RC file execution. No public exploit code or CISA KEV listing exists at time of analysis, though the underlying CWE-78 class is well-understood; notably, the OpenStack project itself characterizes this as a security hardening opportunity rather than a traditional vulnerability, reflecting a disputed severity framing.
Remote code execution in OpenHuman desktop agent through 0.54.0 allows attackers to escape the Supervised SecurityPolicy sandbox and run arbitrary OS commands as the desktop user via indirect prompt injection. Two allowlist bypasses in src/openhuman/security/policy.rs - missing coverage of find's -execdir/-okdir flags and pre-validation stripping of inline KEY=value env assignments (e.g. GIT_EXTERNAL_DIFF, GIT_SSH_COMMAND) - let an attacker turn an allowlisted command into arbitrary execution. No public exploit identified at time of analysis, but the vendor has shipped a fix in commit 60050aa (first stable release 0.56.0).
Authenticated OS command injection in MSI RadiX AX6600 WiFi 6 Tri-Band Gaming Router lets an administrator of the web console execute arbitrary operating system commands as root. The flaw was reported through JPCERT/JVN (JVN20769211) and carries a CVSS 3.0 score of 7.2; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's IPv6 PPPoE configuration handler allows administrators to break out of the configuration parser and execute arbitrary shell commands with elevated (typically root) privileges on the device. The flaw was reported by TP-Link itself and a firmware fix is available; no public exploit identified at time of analysis. Risk is bounded by the CVSS 4.0 vector requiring adjacent-network access and high privileges (AV:A/PR:H), but post-exploitation impact on confidentiality, integrity, and availability is rated High.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's BigPond Cable (BPA) WAN configuration module allows administrators to execute arbitrary system commands with elevated privileges on the device. The flaw stems from improper sanitization of user-supplied input in the WAN setup path and affects firmware versions prior to V6_260528. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.
Remote command injection in ServerCo getssl 2.49 and prior allows an attacker who controls or tampers with ACME challenge responses (a malicious/compromised CA endpoint or on-path adversary) to write attacker-chosen file paths via tokens that violate RFC 8555 base64url constraints, typically yielding code execution as the privileged user that renews certificates. The issue was reported by runZero, fixed upstream in v2.50, and at the time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Command injection in openSUSE/SUSE wicked DHCP client before 0.6.79 allows attackers operating a rogue DHCP server on the victim's local network segment to execute arbitrary commands by embedding single-quoted shell metacharacters in DHCP option strings, which are written unsanitized to /run/wicked/leaseinfo.* files and later consumed by netconfig. The CVSS 8.8 (AV:A) rating reflects adjacent-network exposure without authentication. No public exploit identified at time of analysis.
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.
Command injection in Turck TBEN-LL-SE-M2, TBEN-L4-SE-M2, and TBEN-L5-SE-M2 Managed Ethernet Switches allows an authenticated low-privileged remote attacker to achieve full system compromise by injecting shell metacharacters into a name parameter. The flaw, reported by CERT@VDE, carries a CVSS 8.8 rating with no public exploit identified at time of analysis and is not currently listed in CISA KEV.
OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authenticated user who can create or modify a shared SSH entry execute arbitrary commands on remote SSH hosts by smuggling shell metacharacters through a crafted alternate username, abusing stored elevation credentials they would not otherwise possess. No public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile), but the privilege-escalation angle - turning shared-entry write access into code execution under another user's sudo/elevation context - makes this attractive for insider or post-compromise abuse.
OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.
OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.
Remote unauthenticated command injection in Fortra's Core Privileged Access Manager (BoKS) allows network-adjacent attackers to execute arbitrary OS commands with the privileges of the boks_autoregisterd service. The flaw resides in autoregistration processing and carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating, though no public exploit identified at time of analysis. Because BoKS is a privileged access management product, successful exploitation can directly undermine the security control plane intended to protect enterprise privileged accounts.
Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.
Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.
Authenticated command injection in kanishka-linux Reminiscence v0.3.0 lets remote attackers execute arbitrary OS commands by submitting crafted input to the /manage/features/media endpoint. The flaw maps to CWE-78 with CVSS 8.1 (PR:L), and publicly available exploit code exists in a referenced gist; EPSS is modest at 0.66% (47th percentile) and the issue is not on CISA KEV.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.
Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
Command injection in the Ruijie EG105G-P 2.340 gateway router allows authenticated remote attackers to execute arbitrary OS commands by manipulating the params.target argument of the nslookup function in the /cgi-bin/luci/api/diagnose JSON-RPC endpoint. Publicly available exploit code exists, the vendor did not respond to coordinated disclosure, and successful exploitation yields full confidentiality, integrity, and availability impact on the device.
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). No CISA KEV listing has been confirmed, but the combination of a published PoC and an internet-exposable management interface raises the practical risk above the headline CVSS score.
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.
OS command injection and arbitrary file truncation in the Perl module Config::IniFiles before 3.001000 occurs because _make_filehandle uses Perl's 2-argument open() on the -file argument, letting filenames prefixed/suffixed with shell metacharacters ('| cmd', 'cmd |', '> path', '>> path') execute commands or overwrite files under the process UID. Any application passing untrusted input to new(-file => ...) or ReadConfig is exposed. EPSS is low (~0.26%) and SSVC reports no observed exploitation, but an upstream patch and a public regression test demonstrate the issue clearly.
Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.
Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between approval and execution, bypassing the allowlist enforcement. The TOCTOU-style race against the approval gate lets attackers execute unapproved command shapes with the application's privileges, with no public exploit identified at time of analysis but a vendor advisory published via GHSA.
Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to execute arbitrary shell commands on a victim's host by sending a crafted escape sequence over an attacker-controlled network connection. The terminal echoes its own error message - including attacker-controlled bytes - back to the shell with CRLF, causing the shell to execute the injected command. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged remote attackers to inject and execute arbitrary operating system commands on the affected device. The flaw was disclosed via Taiwan's TWCERT and carries a CVSS 4.0 base score of 8.6, with no public exploit identified at time of analysis. Because exploitation requires high privileges, the issue represents a post-authentication path to full device compromise rather than an unauthenticated remote takeover.
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Command injection in Ubiquiti UID Enterprise Agent allows a low-privileged attacker with network access to execute arbitrary commands on the host device by abusing improper input validation. The CVSS 9.9 score reflects a scope change with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Defenders should treat this as a high-priority patch item given the low attack complexity and minimal privilege requirement.
Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary OS commands by submitting a crafted URL through the Remote Play video import feature. The URL is concatenated unescaped into shell commands, so any metacharacter is interpreted by the shell, yielding code execution as the web server user. No public exploit identified at time of analysis, but the vendor-confirmed advisory and trivial exploitation pattern make this a high-priority issue for any internet-exposed deployment.
Authenticated command injection in CyberArk Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6 allows low-privileged users to execute arbitrary OS commands on the PSMP host. Because PSMP brokers privileged SSH sessions to downstream targets, code execution on this host can pivot an attacker from a constrained PAM user into the operator of the privileged-access tier. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.7 reflects high confidentiality and integrity impact on the vulnerable system.
Command injection in KanaDojo's GitHub Actions release workflow (release.yml) allows attackers who can land a pull request to execute arbitrary commands on the repository's CI runner. The version and changes fields of patchNotesData.json are interpolated unsanitized into a child_process.execSync() call, granting any merged malicious PR access to GITHUB_TOKEN and contents:write permissions. No public exploit identified at time of analysis, but the supply-chain blast radius is significant for downstream KanaDojo consumers.
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrictions and execute arbitrary OS commands as root via the CLI or Web UI. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are explicitly excluded per the vendor advisory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.1 accurately reflects the significant mitigating factor of requiring high-privilege administrative access before exploitation is possible.
Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.
Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.
OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models.
Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to execute arbitrary OS commands by abusing the configver URL-path parameter on POST /config/versions/<service>/<server_ip>/<configver>/save, which flows unsanitized into an os.system() call wrapping dos2unix. No public exploit identified at time of analysis, but the GHSA advisory is published and no vendor patch exists, leaving exposed instances at immediate risk of full compromise of the management interface host.
Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514).
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials.
Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Command injection in Ruby's net-imap gem allows arbitrary IMAP protocol command injection via the Net::IMAP#id and Net::IMAP#enable methods when untrusted input is passed as arguments. The #id method fails to prohibit CRLF sequences in ID field value strings (despite correctly quoting other specials), while #enable passes argument .to_s values verbatim without validating them as legal IMAP atoms. An attacker who can influence these inputs can terminate the current IMAP command and append arbitrary subsequent IMAP commands such as DELETE mailbox. Rated 'moderate' by the maintainer; no public exploit identified at time of analysis and no CISA KEV listing.
{0}` or `{0+}`, allowing a smuggled literal-continuation marker to reach the IMAP server and cause it to absorb the next client command - hanging the issuing thread and, in multi-threaded environments, also the thread that sent the follow-up command. Rated low severity by the maintainers; no public exploit identified at time of analysis, but any application passing untrusted input to the affected raw argument parameters is at risk.
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary shell commands via unsanitized gateway address input passed to system() inside libNetSetObj.so. The flaw is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, granting full device compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network services to execute arbitrary shell commands via unsanitised netmask input passed to system() inside libNetSetObj.so. The flawed CNetSetObj::m_F_n_Set_Net_Mask routine is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, yielding code execution in the context of the configuration daemon. No public exploit identified at time of analysis, but the Talos report provides full reverse-engineered detail that materially lowers the barrier to weaponisation.
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the libNetSetObj.so library via the DVRSearch service or Network.cgi endpoint. The flaw stems from unsanitized attacker-controlled IP address input passed directly to system() in CNetSetObj::m_F_n_Set_IP_Addr. No public exploit identified at time of analysis, though Talos Intelligence disclosed the issue with technical detail (TALOS-2026-2379).
Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.
Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious `.mise.toml` is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass `github.credential_command` from untrusted local project config directly to `sh -c` without any trust verification. A working proof-of-concept is confirmed per GHSA-29hf-rm4x-xxph on Docker linux-arm64; no CISA KEV listing at time of analysis, but POC availability elevates practical risk above the moderate CVSS base score.
Arbitrary command execution in mise versions prior to 2026.6.4 allows attacker-controlled repositories to run commands the moment a victim lists or tab-completes a task. The trust gate only fires inside config-file parsers (`mise.toml`, `.tool-versions`), so a repo that ships a `mise-tasks/` (or `.mise/tasks/`) directory without any config file bypasses the prompt entirely, and the Tera `exec()` function registered in the rendering environment fires while tasks are merely enumerated. A public proof-of-concept is included in GHSA-77g9-363w-rccq; no CISA KEV entry exists at time of analysis.
{, } and stripped doubled && but left the single & background operator intact at the same execAsync() sh -c sink. Publicly available exploit code exists (a PHP PoC harness is included in the advisory), but the vulnerability is not in CISA KEV at time of analysis.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Authenticated remote code execution in NetComm NF20MESH routers running firmware R6B031 and earlier allows low-privileged authenticated attackers to gain full root-level OS control via OS command injection. The dalStorage_addUserAccount function unsafely concatenates attacker-supplied JSON username input into a shell command string executed by rut_doSystemAction without sanitization, enabling shell metacharacter injection. No public exploit identified at time of analysis and no CISA KEV listing, but a detailed public advisory from signal11.io documents the attack surface, and a vendor patch (implied R6B032) is available.
Command injection in ImageMagick's SVG decoder (coders/svg.c) lets attackers smuggle arbitrary MVG (Magick Vector Graphics) drawing commands inside an SVG file that execute when the image is rendered, affecting versions before 7.1.2-15 and 6.9.13-40 (and the Magick.NET bindings before 14.10.3). Because ImageMagick frequently processes untrusted, user-uploaded images on servers, a crafted SVG can achieve high-impact abuse of the internal MVG rendering pipeline. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS is low at 0.91% (55th percentile), but SSVC flags exploitation as automatable.
Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches.
World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.
OS command injection in Coolify 4.0.0's Image Name Handler allows authenticated remote attackers to execute arbitrary operating system commands by manipulating image name inputs. Coolify is a self-hosted PaaS that orchestrates Docker deployments, making server-side command injection in its image handling pipeline particularly high-impact - the platform typically operates with Docker daemon privileges. Publicly available exploit code exists (CVSS 4.0 E:P, corroborated by a GitHub PoC writeup); no public confirmation of active exploitation is present, and no vendor response to the coordinated disclosure was received.
OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the `destination` parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. The vendor was notified prior to disclosure and did not respond, leaving all known firmware versions without a patch.
Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows network-adjacent authenticated attackers to execute arbitrary OS commands via the `command` argument in POST requests to the `/goform/mp` endpoint. The vulnerability is rooted in insufficient input sanitization in the `mp` form handler, exposing the router's underlying OS to attacker-controlled commands. A public proof-of-concept exploit has been released and the vendor has not responded to disclosure, leaving no patch available - the device remains unmitigated at time of analysis.
Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privilege credentials to execute arbitrary OS commands by embedding shell metacharacters in the `newpass` argument of POST requests to the `/goform/wiz_5in1_redirect` endpoint. A public proof-of-concept exploit exists and is referenced in the VulDB disclosure, making this straightforwardly reproducible. The vendor has not responded to coordinated disclosure, leaving no official patch available - a significant concern for a SOHO network gateway that sits at the perimeter of home and small-office networks.
Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows authenticated remote attackers to execute arbitrary OS commands by manipulating the `interface` argument in POST requests to `/goform/stainfo`. No patch is available - Edimax did not respond to coordinated disclosure - and a public proof-of-concept exploit exists, making this a persistent, unmitigated risk on deployed devices. The vendor-reported CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as unrestricted command injection on embedded router firmware typically enables full system control rather than merely low-severity limited access.
Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privileged web interface access to execute arbitrary OS commands by injecting shell metacharacters into WAN credential parameters submitted via POST to /goform/setWAN. A public proof-of-concept exploit is documented and available, the vendor did not respond to coordinated disclosure, and no patch exists - leaving only compensating controls as mitigation. No public exploit identified at time of analysis in CISA KEV, but the combination of public PoC, zero vendor response, and SOHO device deployment patterns represents materially elevated real-world risk.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. No public exploit identified at time of analysis, though the vendor fix PR ships a proof-of-concept-style regression test; the issue is not listed in CISA KEV and no EPSS score was provided.
Authenticated remote code execution in gin-vue-admin 2.9.1 lets attackers with access to the code-generation and MCP management features inject arbitrary Go source via POST /autoCode/addFunc and trigger a rebuild/restart through POST /autoCode/mcpStart, yielding OS command execution as the application service account. No public exploit identified at time of analysis, and as of publication a patched version is not confirmed; the upstream GHSA-22cv-9jv2-6m62 advisory only documents allowlist-based workarounds.
Shell command injection in pontedilana/php-weasyprint prior to 2.5.1 allows code execution as the PHP process when the WeasyPrint binary path is sourced from configuration, environment variables, or per-tenant settings. The library's buildCommand() inverted the order of escapeshellarg() and is_executable(), turning the 'safe' branch into dead code and passing the raw binary string into Symfony Process::fromShellCommandline(). No public exploit identified at time of analysis, but a PoC for the identical KnpLabs/snappy precursor flaw (GHSA-vpr4-p6fq-85jc) is published and directly applicable.
Authenticated OS command injection in SIMA GmbH Bondix Server through 1.25.7.5 on Linux allows an attacker with configuration write privileges to execute arbitrary operating-system commands by supplying crafted values in the environment and tunnel configuration that are passed unsanitized to server-side scripts. The flaw was reported by NCSC.ch and carries a CVSS 4.0 base score of 8.6 (High); no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as `git *`, `npm *`, or `node *` execute arbitrary shell commands as the orchestrator process. The flaw stems from `SandboxPolicy.isCommandAllowed` glob-matching the entire command string while `ShellExecutor` runs it through `/bin/sh -c`, so shell metacharacters like `;`, `|`, and `$(...)` smuggle additional commands past the sandbox. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis in the wild and no CISA KEV listing.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no public exploit was identified at time of analysis and it is not listed in CISA KEV. Reported by SUSE through GitHub Security Advisory GHSA-mhc6-2gfq-xx62.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to execute arbitrary operating system commands by supplying a malicious IP address parameter that is passed unsanitized to exec(). The flaw was reported by CERT-PL and an upstream fix is available; no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.6 reflects high impact on the vulnerable system with limited subsequent-system effect.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Unauthenticated remote command execution affects InHand Networks IR912 and IR915 industrial cellular routers running firmware V1.0.0.r20042 and earlier, where the file upload function fails to sanitize input and passes attacker-controlled data to a shell context. Successful exploitation yields code execution as root on the device. No public exploit identified at time of analysis, but the CVSS 9.8 rating and network-reachable file upload endpoint make this a high-priority patching target for any operator with these routers exposed to untrusted networks.
Command injection in e107 CMS versions 2.3.5 and earlier allows authenticated low-privilege users to execute arbitrary shell commands as the web server user via the news submission upload flow. The flaw lives in resize_image() where the ImageMagick convert destination path embeds a 6-character slice of the user-controlled news title without shell escaping, letting tab characters and $(...) / backtick expansions reach /bin/sh -c. No public exploit identified at time of analysis, and exploitation requires a specific non-default configuration combination.
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OpenStack Horizon before 25.7.4 embeds project names unsanitized into generated OpenStack RC shell scripts, enabling OS command injection when a victim user downloads and sources that script locally. An attacker with sufficient privileges to create or control a project name can insert shell metacharacters (e.g., backtick sequences, command substitution syntax) that execute arbitrary commands in the victim's local shell environment upon RC file execution. No public exploit code or CISA KEV listing exists at time of analysis, though the underlying CWE-78 class is well-understood; notably, the OpenStack project itself characterizes this as a security hardening opportunity rather than a traditional vulnerability, reflecting a disputed severity framing.
Remote code execution in OpenHuman desktop agent through 0.54.0 allows attackers to escape the Supervised SecurityPolicy sandbox and run arbitrary OS commands as the desktop user via indirect prompt injection. Two allowlist bypasses in src/openhuman/security/policy.rs - missing coverage of find's -execdir/-okdir flags and pre-validation stripping of inline KEY=value env assignments (e.g. GIT_EXTERNAL_DIFF, GIT_SSH_COMMAND) - let an attacker turn an allowlisted command into arbitrary execution. No public exploit identified at time of analysis, but the vendor has shipped a fix in commit 60050aa (first stable release 0.56.0).
Authenticated OS command injection in MSI RadiX AX6600 WiFi 6 Tri-Band Gaming Router lets an administrator of the web console execute arbitrary operating system commands as root. The flaw was reported through JPCERT/JVN (JVN20769211) and carries a CVSS 3.0 score of 7.2; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's IPv6 PPPoE configuration handler allows administrators to break out of the configuration parser and execute arbitrary shell commands with elevated (typically root) privileges on the device. The flaw was reported by TP-Link itself and a firmware fix is available; no public exploit identified at time of analysis. Risk is bounded by the CVSS 4.0 vector requiring adjacent-network access and high privileges (AV:A/PR:H), but post-exploitation impact on confidentiality, integrity, and availability is rated High.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's BigPond Cable (BPA) WAN configuration module allows administrators to execute arbitrary system commands with elevated privileges on the device. The flaw stems from improper sanitization of user-supplied input in the WAN setup path and affects firmware versions prior to V6_260528. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.
Remote command injection in ServerCo getssl 2.49 and prior allows an attacker who controls or tampers with ACME challenge responses (a malicious/compromised CA endpoint or on-path adversary) to write attacker-chosen file paths via tokens that violate RFC 8555 base64url constraints, typically yielding code execution as the privileged user that renews certificates. The issue was reported by runZero, fixed upstream in v2.50, and at the time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Command injection in openSUSE/SUSE wicked DHCP client before 0.6.79 allows attackers operating a rogue DHCP server on the victim's local network segment to execute arbitrary commands by embedding single-quoted shell metacharacters in DHCP option strings, which are written unsanitized to /run/wicked/leaseinfo.* files and later consumed by netconfig. The CVSS 8.8 (AV:A) rating reflects adjacent-network exposure without authentication. No public exploit identified at time of analysis.
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.
Command injection in Turck TBEN-LL-SE-M2, TBEN-L4-SE-M2, and TBEN-L5-SE-M2 Managed Ethernet Switches allows an authenticated low-privileged remote attacker to achieve full system compromise by injecting shell metacharacters into a name parameter. The flaw, reported by CERT@VDE, carries a CVSS 8.8 rating with no public exploit identified at time of analysis and is not currently listed in CISA KEV.
OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authenticated user who can create or modify a shared SSH entry execute arbitrary commands on remote SSH hosts by smuggling shell metacharacters through a crafted alternate username, abusing stored elevation credentials they would not otherwise possess. No public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile), but the privilege-escalation angle - turning shared-entry write access into code execution under another user's sudo/elevation context - makes this attractive for insider or post-compromise abuse.
OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.
OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.
Remote unauthenticated command injection in Fortra's Core Privileged Access Manager (BoKS) allows network-adjacent attackers to execute arbitrary OS commands with the privileges of the boks_autoregisterd service. The flaw resides in autoregistration processing and carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating, though no public exploit identified at time of analysis. Because BoKS is a privileged access management product, successful exploitation can directly undermine the security control plane intended to protect enterprise privileged accounts.
Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.
Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.
Authenticated command injection in kanishka-linux Reminiscence v0.3.0 lets remote attackers execute arbitrary OS commands by submitting crafted input to the /manage/features/media endpoint. The flaw maps to CWE-78 with CVSS 8.1 (PR:L), and publicly available exploit code exists in a referenced gist; EPSS is modest at 0.66% (47th percentile) and the issue is not on CISA KEV.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.
Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
Command injection in the Ruijie EG105G-P 2.340 gateway router allows authenticated remote attackers to execute arbitrary OS commands by manipulating the params.target argument of the nslookup function in the /cgi-bin/luci/api/diagnose JSON-RPC endpoint. Publicly available exploit code exists, the vendor did not respond to coordinated disclosure, and successful exploitation yields full confidentiality, integrity, and availability impact on the device.
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). No CISA KEV listing has been confirmed, but the combination of a published PoC and an internet-exposable management interface raises the practical risk above the headline CVSS score.
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.
OS command injection and arbitrary file truncation in the Perl module Config::IniFiles before 3.001000 occurs because _make_filehandle uses Perl's 2-argument open() on the -file argument, letting filenames prefixed/suffixed with shell metacharacters ('| cmd', 'cmd |', '> path', '>> path') execute commands or overwrite files under the process UID. Any application passing untrusted input to new(-file => ...) or ReadConfig is exposed. EPSS is low (~0.26%) and SSVC reports no observed exploitation, but an upstream patch and a public regression test demonstrate the issue clearly.
Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.
Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between approval and execution, bypassing the allowlist enforcement. The TOCTOU-style race against the approval gate lets attackers execute unapproved command shapes with the application's privileges, with no public exploit identified at time of analysis but a vendor advisory published via GHSA.
Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to execute arbitrary shell commands on a victim's host by sending a crafted escape sequence over an attacker-controlled network connection. The terminal echoes its own error message - including attacker-controlled bytes - back to the shell with CRLF, causing the shell to execute the injected command. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged remote attackers to inject and execute arbitrary operating system commands on the affected device. The flaw was disclosed via Taiwan's TWCERT and carries a CVSS 4.0 base score of 8.6, with no public exploit identified at time of analysis. Because exploitation requires high privileges, the issue represents a post-authentication path to full device compromise rather than an unauthenticated remote takeover.
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Command injection in Ubiquiti UID Enterprise Agent allows a low-privileged attacker with network access to execute arbitrary commands on the host device by abusing improper input validation. The CVSS 9.9 score reflects a scope change with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Defenders should treat this as a high-priority patch item given the low attack complexity and minimal privilege requirement.
Remote command injection in ClipBucket v5 prior to version 5.5.3 - #140 allows authenticated users to execute arbitrary OS commands by submitting a crafted URL through the Remote Play video import feature. The URL is concatenated unescaped into shell commands, so any metacharacter is interpreted by the shell, yielding code execution as the web server user. No public exploit identified at time of analysis, but the vendor-confirmed advisory and trivial exploitation pattern make this a high-priority issue for any internet-exposed deployment.
Authenticated command injection in CyberArk Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6 allows low-privileged users to execute arbitrary OS commands on the PSMP host. Because PSMP brokers privileged SSH sessions to downstream targets, code execution on this host can pivot an attacker from a constrained PAM user into the operator of the privileged-access tier. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.7 reflects high confidentiality and integrity impact on the vulnerable system.
Command injection in KanaDojo's GitHub Actions release workflow (release.yml) allows attackers who can land a pull request to execute arbitrary commands on the repository's CI runner. The version and changes fields of patchNotesData.json are interpolated unsanitized into a child_process.execSync() call, granting any merged malicious PR access to GITHUB_TOKEN and contents:write permissions. No public exploit identified at time of analysis, but the supply-chain blast radius is significant for downstream KanaDojo consumers.
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrictions and execute arbitrary OS commands as root via the CLI or Web UI. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are explicitly excluded per the vendor advisory. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.1 accurately reflects the significant mitigating factor of requiring high-privilege administrative access before exploitation is possible.
Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands inside the initramfs by sending crafted DHCP options (e.g., malicious hostname) that are written unescaped into temporary shell scripts. The flaw affects Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4, granting full system compromise during early boot. No public exploit identified at time of analysis, and EPSS is low (0.16%, 36th percentile), but SSVC rates technical impact as total.
Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading `.mcp.json` from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious `.mcp.json` that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.
OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in the VPN module of TP-Link Archer AX12 v1, AX17 v1, AX18 v1, and AX1300 v1.6 routers allows an authenticated attacker on an adjacent network to execute arbitrary commands by uploading a malicious VPN client configuration file. The flaw stems from improper sanitization of special characters during configuration import (CWE-78) and carries a CVSS 4.0 base score of 8.5. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but TP-Link has released firmware fixes for all affected models.
Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to execute arbitrary OS commands by abusing the configver URL-path parameter on POST /config/versions/<service>/<server_ip>/<configver>/save, which flows unsanitized into an os.system() call wrapping dos2unix. No public exploit identified at time of analysis, but the GHSA advisory is published and no vendor patch exists, leaving exposed instances at immediate risk of full compromise of the management interface host.
Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514).
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials.
Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Command injection in Ruby's net-imap gem allows arbitrary IMAP protocol command injection via the Net::IMAP#id and Net::IMAP#enable methods when untrusted input is passed as arguments. The #id method fails to prohibit CRLF sequences in ID field value strings (despite correctly quoting other specials), while #enable passes argument .to_s values verbatim without validating them as legal IMAP atoms. An attacker who can influence these inputs can terminate the current IMAP command and append arbitrary subsequent IMAP commands such as DELETE mailbox. Rated 'moderate' by the maintainer; no public exploit identified at time of analysis and no CISA KEV listing.
{0}` or `{0+}`, allowing a smuggled literal-continuation marker to reach the IMAP server and cause it to absorb the next client command - hanging the issuing thread and, in multi-threaded environments, also the thread that sent the follow-up command. Rated low severity by the maintainers; no public exploit identified at time of analysis, but any application passing untrusted input to the affected raw argument parameters is at risk.