Skip to main content

Command Injection

7742 CVEs technique

Monthly

CVE-2026-52750 HIGH PATCH This Week

Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.

Command Injection Microsoft Ghidra
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-24719 MEDIUM PATCH This Month

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514).

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
6.1
EPSS
0.5%
CVE-2026-22893 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2025-66279 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2025-66273 HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Qnap Command Injection Qts Quts Hero
NVD VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-48030 PHP CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

PHP RCE CSRF Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-47242 Ruby MEDIUM PATCH GHSA This Month

Command injection in Ruby's net-imap gem allows arbitrary IMAP protocol command injection via the Net::IMAP#id and Net::IMAP#enable methods when untrusted input is passed as arguments. The #id method fails to prohibit CRLF sequences in ID field value strings (despite correctly quoting other specials), while #enable passes argument .to_s values verbatim without validating them as legal IMAP atoms. An attacker who can influence these inputs can terminate the current IMAP command and append arbitrary subsequent IMAP commands such as DELETE mailbox. Rated 'moderate' by the maintainer; no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-47241 Ruby LOW PATCH GHSA Monitor

{0}` or `{0+}`, allowing a smuggled literal-continuation marker to reach the IMAP server and cause it to absorb the next client command - hanging the issuing thread and, in multi-threaded environments, also the thread that sent the follow-up command. Rated low severity by the maintainers; no public exploit identified at time of analysis, but any application passing untrusted input to the affected raw argument parameters is at risk.

Denial Of Service Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-47240 Ruby MEDIUM PATCH GHSA This Month

CRLF command injection in Ruby's net-imap gem (CVE-2026-47240) enables attackers to inject arbitrary IMAP commands when applications pass unvalidated user-controlled input to raw data arguments of search, fetch, sort, and thread methods. Affected versions (>= 0.6.0 through 0.6.4, and <= 0.5.14) fail to verify that the connected IMAP server supports non-synchronizing literals before sending them, meaning servers without LITERAL+, LITERAL-, or IMAP4rev2 capability may interpret the malformed literal boundary as a pipelined command rather than closing the connection - allowing injected payloads such as DELETE mailbox to execute. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the advisory is rated moderate severity by the upstream maintainers and patches are available.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.2%
CVE-2026-49959 HIGH PATCH This Week

Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.

RCE Command Injection
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-38615 CRITICAL Act Now

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

PHP Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-10727 HIGH This Week

Command injection in Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.9.0.1, 12.8.0.3, and 12.7.0.2 enables an authenticated administrator with high privileges to execute arbitrary OS commands as root on the underlying server. No public exploit identified at time of analysis, and the issue is not currently listed on the CISA KEV catalog, but Ivanti EPMM has a history of being a high-value target for nation-state actors which elevates real-world urgency. The high-privilege precondition limits opportunistic abuse but the root-level outcome makes this a credible privilege-escalation and lateral-movement vector.

Ivanti Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-25089 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox Fortisandbox Cloud Fortisandbox Paas
NVD VulDB
CVSS 3.1
9.8
EPSS
2.0%
Threat
5.0
CVE-2026-10520 CRITICAL POC KEV THREAT NEWS Emergency

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.

RCE Ivanti Command Injection Sentry
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
Threat
6.0
CVE-2026-9279 HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection Logseq
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-46746 HIGH CISA This Week

Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.

Command Injection Sinec Ins
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-11572 HIGH PATCH This Week

Command injection in the npm package degit (versions before 2.8.6 and 3.0.0 through 3.3.0) lets a remote attacker run arbitrary OS commands on a victim's host when the victim is induced to run degit against a maliciously crafted repository name. The flaw stems from unsanitised user input being concatenated into shell strings inside _cloneWithGit() and fetchRefs(); publicly available exploit code exists (a PoC gist is linked from the NVD references and CVSS reports E:P), but the issue is not in CISA KEV.

Command Injection
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-47252 Go CRITICAL PATCH GHSA Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google RCE Apple +2
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-40519 HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection Nginx Proxy Manager
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-10544 MEDIUM This Month

Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.

Hashicorp Command Injection Server
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11556 HIGH POC This Week

OS command injection in Tenda F451 routers (firmware 1.0.0.7 and 1.0.0.9) allows remote attackers with low-privileged web management access to execute arbitrary operating system commands by manipulating the 'mac' parameter sent to the /goform/WriteFacMac endpoint handled by the formWriteFacMac function. Publicly available exploit code exists, raising the practical risk for any device exposing the web management interface to untrusted networks. The flaw is rated CVSS 4.0 base 7.4 with high confidentiality, integrity, and availability impact on the device itself.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-8913 HIGH PATCH This Week

Authenticated command injection in the TP-Link Archer MR600 v5 router allows administrators on the adjacent network to execute arbitrary OS commands via the WireGuard client configuration in the web management interface. The flaw stems from improper neutralization of user-controlled input when configuration changes are applied, enabling full device compromise. No public exploit identified at time of analysis, but TP-Link has released a firmware patch.

Command Injection Archer Mr600 V5
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-25855 HIGH POC This Week

Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.

RCE Command Injection Openbullet2
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-11487 LOW POC PATCH Monitor

Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).

Command Injection Neovim
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-11455 LOW POC Monitor

Command injection in FoundationAgents MetaGPT through version 0.8.2 allows a remote, low-privileged attacker to execute arbitrary OS commands by manipulating the mermaid.path configuration argument passed to the check_cmd_exists function in metagpt/utils/common.py. A publicly available proof-of-concept (documented on Notion) demonstrates exploitation; however, this is not listed in CISA KEV and the CVSS vector assigns high attack complexity (AC:H), tempering real-world exploitability. The vendor project has not responded to the responsible disclosure filed via GitHub issue #2037, and no patched release is available at time of analysis.

Command Injection Metagpt
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.6%
CVE-2026-11452 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.8%
CVE-2026-11451 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). The vendor has issued firmware 4.8.1 and disputes reproducibility on the patched build, stating that escape_single_quote() now sanitizes the input before it reaches the FTP configuration write path.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
1.0%
CVE-2026-11450 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. No CISA KEV listing and EPSS data was not provided, but the network-reachable, no-authentication CVSS vector combined with public PoC makes this a meaningful risk for exposed devices.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
1.0%
CVE-2026-11449 MEDIUM PATCH This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the `rpc_sys` function exposed through the LuCI JSON-RPC interface at `/cgi-bin/luci/rpc`. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. Publicly available exploit code exists in a GitHub repository, though no active exploitation has been confirmed by CISA KEV.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.7%
CVE-2026-11448 MEDIUM This Month

Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. Publicly available exploit code exists in a GitHub proof-of-concept repository (StrTzz123/iot_vul), though no active exploitation has been confirmed by CISA KEV at time of analysis.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-11447 LOW POC Monitor

Command injection in GL.iNet GL-MT3000 router firmware (versions up to 4.4.5) allows a low-privileged remote attacker to execute arbitrary OS commands by manipulating the 'device' argument passed to the iwinfo_backend function in iwinfo.so. A public proof-of-concept exploit is available on GitHub, raising the realistic likelihood of opportunistic abuse. The vendor has confirmed the issue and released firmware 4.7 with a global injection interception protection in the SDK.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.9%
CVE-2026-11408 LOW POC PATCH Monitor

OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled `req.query.type` parameter into a shell-executed `execSync()` call in `app/model/LogMod.js`, enabling shell metacharacter injection without any sanitization or allowlist validation. A publicly available proof-of-concept exists on GitHub Gist and Google Drive; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but the CVSS temporal score includes E:P (proof-of-concept) and RC:C (confirmed), elevating real-world urgency.

Command Injection Vertex
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.9%
CVE-2026-11406 LOW POC PATCH Monitor

Command injection in GL.iNet MT3000 routers running firmware up to version 4.4.5 allows authenticated remote attackers to execute arbitrary OS commands by supplying a crafted OpenVPN configuration file through the device's OpenVPN Client Import Workflow. The shell script ovpnclient.sh processes imported .ovpn files without adequately sanitizing user-controlled content, enabling embedded shell metacharacters or directives to execute at the OS level. A public proof-of-concept exploit is available on GitHub; an official vendor-released patch exists in beta firmware, and no public exploit identified at time of analysis has been confirmed by CISA KEV as actively exploited in the wild.

Command Injection Mt3000
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-45777 CRITICAL PATCH Act Now

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Command Injection Open Xdmod
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-25623 HIGH This Week

Authenticated command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) allows administrators with existing access to the browser management pipeline to break out and execute arbitrary terminal/shell script code on the underlying appliance OS. The flaw stems from insufficient input validation (CWE-78) within management-plane functionality and carries a CVSS 4.0 score of 7.0 with no public exploit identified at time of analysis. Because exploitation requires high-privileged authentication, the issue is a privilege-boundary breach rather than an unauthenticated remote takeover.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-25622 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) Captive Portal Custom Handler allows administrators authenticated to the management UI to execute arbitrary shell commands on the underlying platform. The CVSS 4.0 score of 7.0 reflects high privilege requirements (PR:H) offset by network reach and high confidentiality impact, with no public exploit identified at time of analysis.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-25621 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows high-privileged authenticated attackers to abuse insecure input validation in the Reports application to execute OS commands on the appliance. The flaw uniquely affects 17.4.0, with earlier releases unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.0 with confidentiality high and integrity/availability low, reflecting a scope-changing impact constrained by the high privileges required.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-25620 HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows authenticated high-privileged remote attackers to inject OS commands through the Captive Portal application framework via encrypted password handling. The flaw is unique to release 17.4.0 with earlier versions unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score of 7.0 reflects high attacker privilege requirement balanced against high confidentiality impact on the firewall appliance.

Command Injection Ng Firewall
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-46394 HIGH PATCH This Week

OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.

PHP RCE Command Injection
NVD GitHub
CVSS 4.0
7.7
EPSS
0.9%
CVE-2026-45750 CRITICAL PATCH Act Now

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-45748 CRITICAL PATCH Act Now

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-45744 CRITICAL PATCH Act Now

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.

Command Injection Termix
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-49492 HIGH PATCH This Week

Remote code execution in Markdown Preview Enhanced before 0.8.28 on Windows allows attackers to inject OS commands through crafted markdown documents that abuse the diagram filename attribute, imported file paths, or the latex_engine code-chunk attribute, all of which were passed through a shell without validation. Exploitation requires the victim to preview the malicious document (UI:A), and no public exploit identified at time of analysis, though VulnCheck-published advisory details and a tagged fix release make weaponization straightforward.

Microsoft Command Injection
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-11341 LOW POC Monitor

OS command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary shell commands on the device via the IMEI_value parameter of the /boafrm/formIMEISetup endpoint. The vulnerable function sub_412DA0 fails to sanitize attacker-controlled input before passing it to an OS-level command, granting low-privilege network access sufficient to achieve code execution with the confidence of a partial proof-of-concept. A publicly available exploit has been disclosed on GitHub, elevating practical risk beyond the CVSS 6.3 score alone.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-47670 npm CRITICAL POC PATCH GHSA Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection RCE Docker
NVD GitHub
EPSS
0.3%
CVE-2026-11339 LOW POC Monitor

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the `ussdValue` parameter of the `/boafrm/formUSSDSetup` endpoint, processed by the vulnerable `sub_41CF20` function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. A public proof-of-concept exploit is available on GitHub, materially elevating practical risk above what the moderate CVSS score of 6.3 suggests; no public exploit identified at time of analysis maps to confirmed active exploitation (not in CISA KEV).

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-50265 HIGH This Week

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

RCE Command Injection Suse
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-8914 HIGH This Week

Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.

Code Injection Command Injection Rutos Tswos
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-21837 HIGH This Week

OS command injection in HCL Digital Experience 9.5 allows authenticated remote attackers to execute arbitrary operating system commands through the Digital Asset Management API, inheriting the privileges of the application service account and potentially achieving full host takeover and data compromise. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact over a network vector with low attack complexity and only low privileges required, though no public exploit identified at time of analysis. The vulnerability was disclosed by the vendor (HCL) and is tracked in ENISA's EUVD as EUVD-2026-34786.

Command Injection Digital Experience
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-10878 LOW POC Monitor

Command injection in D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70 allows a low-privileged, remote-authenticated attacker to inject OS commands via the action_value parameter in the SMS management endpoint /boafrm/formSmsManage. The vulnerability resides in the C function sub_41C8E8 and stems from unsanitized user input being passed directly to a command interpreter (CWE-77). A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation despite the absence of CISA KEV listing.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-20245 HIGH POC KEV THREAT NEWS Act Now

Local privilege escalation in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated netadmin user to execute arbitrary commands as root by uploading a crafted file through the CLI. Cisco has observed limited real-world exploitation that resulted in unauthorized configuration changes being pushed to downstream edge devices, though the issue is not currently listed in CISA KEV and no public exploit code has been identified at time of analysis.

Command Injection Cisco
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.1%
Threat
4.6
CVE-2026-10873 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 firmware allows authenticated remote attackers to execute arbitrary operating system commands by manipulating input to the rstats_path function within the /bin/rstats binary exposed via the Web UI. Publicly available exploit code exists per the Gitee advisory disclosed through VulDB, and the affected project is end-of-life - superseded by FreshTomato - meaning no upstream vendor patch is forthcoming. CVSS 4.0 base score is 7.3 with high privileges required but high confidentiality, integrity, and availability impact on the router.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-10872 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_vpnserver function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists, and the project is end-of-life - superseded by FreshTomato - meaning no upstream patch is forthcoming. The CVSS 4.0 score of 7.3 reflects high impact on confidentiality, integrity, and availability, but high privileges are required to trigger the flaw.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-45497 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot allows an authenticated attacker with low privileges to execute arbitrary code across a scope-changing trust boundary, leading to high confidentiality impact and limited integrity and availability impact. The flaw stems from improper neutralization of special elements (CWE-77) within the Copilot service and is rated CVSS 7.7 with high attack complexity. No public exploit identified at time of analysis, and the EPSS signal is not provided in the source intelligence.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-42824 HIGH POC PATCH NEWS NO ACTION HOSTED Monitor

Information disclosure in Microsoft 365 Copilot allows remote unauthenticated attackers to exfiltrate data via command injection (CWE-77) over the network. Microsoft reported the issue (CVE-2026-42824) with a CVSS 3.1 base score of 7.5 reflecting high confidentiality impact only, and publicly available exploit code exists though it is not listed in CISA KEV. EPSS is very low at 0.08% (24th percentile) and the CISA SSVC decision framework rates exploitation as 'none' and automatable as 'no', suggesting realistic exploitation is currently limited despite the POC.

Command Injection Microsoft 365 Copilot
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-10871 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary shell commands by manipulating the ipv6_6rd_borderrelay argument processed by the start_6rd_tunnel function in /sbin/rc via the Web UI. Publicly available exploit code exists per VulDB disclosure, and the project is end-of-life - superseded by FreshTomato - meaning no upstream fix is expected.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-47708 PyPI CRITICAL PATCH GHSA Act Now

Command injection in stata-mcp (MCP-for-Stata) versions prior to 1.17.3 allows attackers to execute arbitrary Stata commands - including the `shell` directive - by supplying a crafted `log_file_name` parameter to the `stata_do` MCP tool or CLI. The flaw bypasses the existing `GuardValidator` security control, which only inspects do-file content and never examines wrapper parameters, enabling remote code execution and arbitrary file writes via path traversal. Publicly available exploit code exists in the GHSA advisory PoC, though no public exploit identified at time of analysis indicates in-the-wild abuse.

Python RCE Path Traversal Command Injection
NVD GitHub
EPSS
0.6%
CVE-2026-10870 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_dhcpc function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists per the VulDB advisory. The project has been discontinued and superseded by FreshTomato, meaning no upstream fix from the original maintainer is expected.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-10796 HIGH PATCH This Week

Command injection in nvm (Node Version Manager) versions through 0.40.4 allows attackers controlling the configured Node.js/io.js mirror to execute arbitrary shell commands as the user running nvm. Mirror-supplied version strings flow unsanitized into an `eval`'d curl/wget invocation in `nvm_download()` and into an awk program in `nvm_get_checksum()`, enabling injection via constructs like `$(id)`. No public exploit is identified at time of analysis, but the GitHub Security Advisory (GHSA-3c52-35h2-gfmm) and committed regression tests demonstrate the bug class, and CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) reflects that the default TLS-protected nodejs.org mirror is unaffected.

Node.js Command Injection
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-8037 CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-45431 HIGH This Week

Authenticated remote command injection in GX Earth ONT (Optical Network Terminal) devices allows attackers with valid web management credentials to execute arbitrary OS commands as root via multiple diagnostic functions in the device's web interface. The flaw, reported by CERT-In and tracked as CIVN-2026-0288, carries a CVSS 4.0 score of 8.7 (High) reflecting low attack complexity and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

RCE Command Injection
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-3820 HIGH This Week

Command injection in the Supermicro AS-2115HS-TNR BMC's SMTP service allows an authenticated administrator to inject crafted characters into the SMTP configuration, causing the underlying system to execute unintended OS commands during process invocation. Successful exploitation can yield arbitrary code execution on the baseboard management controller, denial of service, or persistent compromise of the management plane. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Command Injection As 2115Hs Tnr
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-50206 HIGH This Week

Command injection in Acer Connect M6E 5G Portable WiFi Router allows authenticated adjacent-network attackers to execute arbitrary OS commands by submitting VPN network profile configuration files containing unsanitized special characters. The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the router, though exploitation requires high privileges and adjacent (not internet-facing) network access. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-49190 CRITICAL Act Now

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbitrary applications or execute operating system commands by abusing internal operation codes (opcodes) whose permission checks are not properly enforced. The flaw carries a CVSS 4.0 score of 9.4 (Critical) due to network reach, low attack complexity, and scope-changing impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-10805 MEDIUM PATCH This Month

Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.

Privilege Escalation Command Injection Red Hat Suse
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-49185 CRITICAL Act Now

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows attackers to inject OS commands via the FieldX MDM adb messaging topic, which forwards unverified payloads to Runtime.exec(). The CVSS 4.0 score of 10.0 with network attack vector and no authentication required indicates a critical, trivially exploitable flaw; no public exploit identified at time of analysis but the simplicity of the bug pattern makes weaponization straightforward.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-41010 HIGH PATCH This Week

Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.

Command Injection Bosh Director
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41011 HIGH PATCH This Week

Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.

Command Injection Bosh
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35906 CRITICAL Act Now

Unauthenticated remote command execution affects T3 Technology CPE routers (models T625Pro v1.0.07 and T6825G v1.0.03) through an undocumented debug CGI endpoint that processes attacker-supplied query strings as root-level shell commands. SSVC characterizes this as POC-available with total technical impact, and a public advisory has been published on GitHub, though it is not currently listed in CISA KEV.

Command Injection N A
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-67447 CRITICAL Act Now

OS command injection in the Neterbit NW-431F Router (firmware 20241014-IR03 and earlier) allows remote unauthenticated attackers to execute arbitrary commands via the ping diagnostic module's IP address field. With a CVSS of 9.8 and a low-complexity network attack vector, exploitation runs with web-server privileges and no public exploit has been identified at time of analysis, though a researcher-published reference on GitHub may contain technical details.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-69755 HIGH This Week

Remote code execution and information disclosure in Neterbit NW-431F routers (firmware vNW-431F-20241014-IR03) allow unauthenticated network attackers to compromise the device by sending a crafted command to the at_command.asp interface. The CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against the router's web management interface, and no public exploit identified at time of analysis, though a researcher repository on GitHub may contain proof-of-concept material.

RCE Command Injection
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-36576 CRITICAL Act Now

Remote command execution in openlabs docker-wkhtmltopdf-aas (up to commit 9f50579) allows unauthenticated attackers to run arbitrary OS commands by sending a crafted POST request to the app.py PDF conversion endpoint. The CVSS 9.8 rating reflects network-reachable, no-privilege, no-interaction exploitation, and while no public exploit identified at time of analysis, the referenced source line (app.py#L40) makes the injection sink trivially discoverable for any attacker reviewing the repository.

Docker Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-10550 LOW POC Monitor

Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.

Java Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-47294 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft SharePoint Server (2016 Enterprise, 2019, and Subscription Edition) allows an authenticated attacker to execute arbitrary code on the server by submitting crafted serialized data that triggers unsafe deserialization. The CVSS 8.0 vector requires low privileges and user interaction, and no public exploit is identified at time of analysis. The flaw is significant because SharePoint servers typically run with high privileges inside enterprise environments and frequently host sensitive collaboration data.

Microsoft Command Injection Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 +1
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-10279 LOW POC Monitor

OS command injection in wezterm-mcp 0.1.0 allows a remotely authenticated attacker with low privileges to execute arbitrary shell commands by supplying a crafted pane_id argument to the switch_pane or write_to_specific_pane MCP tool handlers. The unsanitized parameter is passed directly to a shell invocation in src/wezterm_executor.ts, giving an MCP client - such as an AI assistant or automation pipeline - the ability to break out of intended terminal pane management and run arbitrary commands in the host user's context. Publicly available exploit code exists per a GitHub issue report; no patch has been released as the vendor has not responded to the disclosure.

Command Injection Wezterm Mcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2024-52011 npm HIGH POC PATCH GHSA This Week

launch-editor allows users to open files with line numbers in editor from Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Microsoft Command Injection Launch Editor Vite
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-10273 MEDIUM POC PATCH This Month

OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.

Command Injection PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.0%
CVE-2026-10219 Go MEDIUM POC PATCH This Month

OS command injection in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers to execute arbitrary shell commands inside the sandbox container by supplying a crafted file path to the write_file tool. The flaw exists in FsBridge.WriteFile (internal/sandbox/fsbridge.go), which interpolated the destination path into a shell command (`sh -c "cat > <path>"`) executed via docker exec, letting shell metacharacters such as `$(...)` break out of the intended write operation. Publicly available exploit code exists and the upstream patch is still pending merge at the time of analysis, raising real-world risk despite a moderate 7.3 CVSS.

Command Injection Goclaw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.8%
CVE-2026-10214 MEDIUM POC PATCH This Month

OS command injection in zhayujie chatgpt-on-wechat (also known as CowAgent) versions up to and including 2.0.8 allows remote attackers to execute arbitrary operating system commands by abusing the _get_safety_warning function within the Bash Tool component (agent/tools/bash/bash.py). Publicly available exploit code exists for this issue, increasing the likelihood of opportunistic abuse, though it is not currently listed in CISA KEV. The vendor has released version 2.0.9 (commit 16d9b449c9aa53ccee44144a762a2737d7ba4fc4) addressing the flaw.

Command Injection Chatgpt On Wechat
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.8%
CVE-2026-10182 LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows remote low-privileged attackers to execute arbitrary OS commands by manipulating the `enrollee` parameter in the `/goform/formWlanSetup` wireless configuration handler. The product reached end-of-life in 2009, and TRENDnet has formally and explicitly declined to issue a patch, leaving all deployed units permanently unpatched with no vendor remediation path. Publicly available exploit code exists on GitHub, materially lowering the exploitation barrier, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

Command Injection Tew 432Brp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.9%
CVE-2026-10180 LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 enables remote attackers with low-privilege credentials to execute arbitrary OS commands by injecting shell metacharacters into the sysCmd parameter of the /goform/formSysCmd endpoint. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. The vendor has confirmed no patch will be released - the device has been end-of-life since 2009 - meaning any remaining deployed units are permanently unpatched.

Command Injection Tew 432Brp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.1%
CVE-2026-10166 LOW POC Monitor

Command injection in Edimax BR-6478AC firmware 1.23 allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the `rootAPmac` parameter in a POST request to the `/goform/formWlbasic` endpoint. The vulnerable function `formWlbasic` passes unsanitized input directly to a system-level command, a pattern common in consumer embedded router firmware. A public proof-of-concept exploit has been disclosed, lowering the technical bar for exploitation; no vendor-released patch has been identified at time of analysis.

Command Injection Br 6478Ac
NVD VulDB
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-10127 LOW POC Monitor

Authenticated command injection in Edimax BR-6478AC 1.23 firmware allows network-adjacent attackers with low-privilege credentials to execute arbitrary OS commands via the rootAPmac parameter in the formStaDrvSetup POST handler at /goform/formStaDrvSetup. The CVSS temporal vector confirms a public proof-of-concept (E:P) with reasonable confidence in the report (RC:R), while remediation level remains undefined (RL:X), indicating no vendor patch has been publicly acknowledged. No public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but publicly available exploit code exists, elevating practical risk for deployed devices.

Command Injection Br 6478Ac
NVD VulDB
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-47392 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.

Command Injection Node.js RCE Python
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-49366 HIGH PATCH This Week

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Command Injection Intellij Idea
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45629 CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45663 CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45662 HIGH This Week

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. No public exploit identified at time of analysis, but the root cause is documented in the vendor's GHSA advisory.

Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-45630 CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-45632 CRITICAL Act Now

Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.

Command Injection Dokploy
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.

Command Injection Microsoft Ghidra
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. QNAP has shipped fixed builds (QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514).

Qnap Command Injection Qts +1
NVD VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but the post-authentication code execution primitive is highly valuable for attackers who have already harvested admin credentials.

Qnap Command Injection Qts +1
NVD VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.

Qnap Command Injection Qts +1
NVD VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Qnap Command Injection Qts +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

PHP RCE CSRF +1
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Command injection in Ruby's net-imap gem allows arbitrary IMAP protocol command injection via the Net::IMAP#id and Net::IMAP#enable methods when untrusted input is passed as arguments. The #id method fails to prohibit CRLF sequences in ID field value strings (despite correctly quoting other specials), while #enable passes argument .to_s values verbatim without validating them as legal IMAP atoms. An attacker who can influence these inputs can terminate the current IMAP command and append arbitrary subsequent IMAP commands such as DELETE mailbox. Rated 'moderate' by the maintainer; no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

{0}` or `{0+}`, allowing a smuggled literal-continuation marker to reach the IMAP server and cause it to absorb the next client command - hanging the issuing thread and, in multi-threaded environments, also the thread that sent the follow-up command. Rated low severity by the maintainers; no public exploit identified at time of analysis, but any application passing untrusted input to the affected raw argument parameters is at risk.

Denial Of Service Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

CRLF command injection in Ruby's net-imap gem (CVE-2026-47240) enables attackers to inject arbitrary IMAP commands when applications pass unvalidated user-controlled input to raw data arguments of search, fetch, sort, and thread methods. Affected versions (>= 0.6.0 through 0.6.4, and <= 0.5.14) fail to verify that the connected IMAP server supports non-synchronizing literals before sending them, meaning servers without LITERAL+, LITERAL-, or IMAP4rev2 capability may interpret the malformed literal boundary as a pipelined command rather than closing the connection - allowing injected payloads such as DELETE mailbox to execute. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the advisory is rated moderate severity by the upstream maintainers and patches are available.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.

RCE Command Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Command injection in Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.9.0.1, 12.8.0.3, and 12.7.0.2 enables an authenticated administrator with high privileges to execute arbitrary OS commands as root on the underlying server. No public exploit identified at time of analysis, and the issue is not currently listed on the CISA KEV catalog, but Ivanti EPMM has a history of being a high-value target for nation-state actors which elevates real-world urgency. The high-privilege precondition limits opportunistic abuse but the root-level outcome makes this a credible privilege-escalation and lateral-movement vector.

Ivanti Command Injection
NVD
EPSS 2% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox +2
NVD VulDB
EPSS 0% 6.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.

RCE Ivanti Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection +1
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.

Command Injection Sinec Ins
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Command injection in the npm package degit (versions before 2.8.6 and 3.0.0 through 3.3.0) lets a remote attacker run arbitrary OS commands on a victim's host when the victim is induced to run degit against a maliciously crafted repository name. The flaw stems from unsanitised user input being concatenated into shell strings inside _cloneWithGit() and fetchRefs(); publicly available exploit code exists (a PoC gist is linked from the NVD references and CVSS reports E:P), but the issue is not in CISA KEV.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google +4
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

RCE Nginx Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.

Hashicorp Command Injection Server
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

OS command injection in Tenda F451 routers (firmware 1.0.0.7 and 1.0.0.9) allows remote attackers with low-privileged web management access to execute arbitrary operating system commands by manipulating the 'mac' parameter sent to the /goform/WriteFacMac endpoint handled by the formWriteFacMac function. Publicly available exploit code exists, raising the practical risk for any device exposing the web management interface to untrusted networks. The flaw is rated CVSS 4.0 base 7.4 with high confidentiality, integrity, and availability impact on the device itself.

Tenda Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated command injection in the TP-Link Archer MR600 v5 router allows administrators on the adjacent network to execute arbitrary OS commands via the WireGuard client configuration in the web management interface. The flaw stems from improper neutralization of user-controlled input when configuration changes are applied, enabling full device compromise. No public exploit identified at time of analysis, but TP-Link has released a firmware patch.

Command Injection Archer Mr600 V5
NVD
EPSS 0% CVSS 8.7
HIGH POC This Week

Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.

RCE Command Injection Openbullet2
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).

Command Injection Neovim
NVD VulDB GitHub
EPSS 1% CVSS 1.3
LOW POC Monitor

Command injection in FoundationAgents MetaGPT through version 0.8.2 allows a remote, low-privileged attacker to execute arbitrary OS commands by manipulating the mermaid.path configuration argument passed to the check_cmd_exists function in metagpt/utils/common.py. A publicly available proof-of-concept (documented on Notion) demonstrates exploitation; however, this is not listed in CISA KEV and the CVSS vector assigns high attack complexity (AC:H), tempering real-world exploitability. The vendor project has not responded to the responsible disclosure filed via GitHub issue #2037, and no patched release is available at time of analysis.

Command Injection Metagpt
NVD VulDB GitHub
EPSS 1% CVSS 6.9
MEDIUM This Month

Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 1% CVSS 6.9
MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). The vendor has issued firmware 4.8.1 and disputes reproducibility on the patched build, stating that escape_single_quote() now sanitizes the input before it reaches the FTP configuration write path.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 1% CVSS 6.9
MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. No CISA KEV listing and EPSS data was not provided, but the network-reachable, no-authentication CVSS vector combined with public PoC makes this a meaningful risk for exposed devices.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the `rpc_sys` function exposed through the LuCI JSON-RPC interface at `/cgi-bin/luci/rpc`. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. Publicly available exploit code exists in a GitHub repository, though no active exploitation has been confirmed by CISA KEV.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. Publicly available exploit code exists in a GitHub proof-of-concept repository (StrTzz123/iot_vul), though no active exploitation has been confirmed by CISA KEV at time of analysis.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in GL.iNet GL-MT3000 router firmware (versions up to 4.4.5) allows a low-privileged remote attacker to execute arbitrary OS commands by manipulating the 'device' argument passed to the iwinfo_backend function in iwinfo.so. A public proof-of-concept exploit is available on GitHub, raising the realistic likelihood of opportunistic abuse. The vendor has confirmed the issue and released firmware 4.7 with a global injection interception protection in the SDK.

Command Injection Gl Mt3000
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC PATCH Monitor

OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled `req.query.type` parameter into a shell-executed `execSync()` call in `app/model/LogMod.js`, enabling shell metacharacter injection without any sanitization or allowlist validation. A publicly available proof-of-concept exists on GitHub Gist and Google Drive; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but the CVSS temporal score includes E:P (proof-of-concept) and RC:C (confirmed), elevating real-world urgency.

Command Injection Vertex
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC PATCH Monitor

Command injection in GL.iNet MT3000 routers running firmware up to version 4.4.5 allows authenticated remote attackers to execute arbitrary OS commands by supplying a crafted OpenVPN configuration file through the device's OpenVPN Client Import Workflow. The shell script ovpnclient.sh processes imported .ovpn files without adequately sanitizing user-controlled content, enabling embedded shell metacharacters or directives to execute at the OS level. A public proof-of-concept exploit is available on GitHub; an official vendor-released patch exists in beta firmware, and no public exploit identified at time of analysis has been confirmed by CISA KEV as actively exploited in the wild.

Command Injection Mt3000
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Command Injection Open Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Authenticated command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) allows administrators with existing access to the browser management pipeline to break out and execute arbitrary terminal/shell script code on the underlying appliance OS. The flaw stems from insufficient input validation (CWE-78) within management-plane functionality and carries a CVSS 4.0 score of 7.0 with no public exploit identified at time of analysis. Because exploitation requires high-privileged authentication, the issue is a privilege-boundary breach rather than an unauthenticated remote takeover.

Command Injection Ng Firewall
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) Captive Portal Custom Handler allows administrators authenticated to the management UI to execute arbitrary shell commands on the underlying platform. The CVSS 4.0 score of 7.0 reflects high privilege requirements (PR:H) offset by network reach and high confidentiality impact, with no public exploit identified at time of analysis.

Command Injection Ng Firewall
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows high-privileged authenticated attackers to abuse insecure input validation in the Reports application to execute OS commands on the appliance. The flaw uniquely affects 17.4.0, with earlier releases unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.0 with confidentiality high and integrity/availability low, reflecting a scope-changing impact constrained by the high privileges required.

Command Injection Ng Firewall
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows authenticated high-privileged remote attackers to inject OS commands through the Captive Portal application framework via encrypted password handling. The flaw is unique to release 17.4.0 with earlier versions unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score of 7.0 reflects high attacker privilege requirement balanced against high confidentiality impact on the firewall appliance.

Command Injection Ng Firewall
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

OS command injection in HAX CMS (haxtheweb/haxcms-php) prior to version 26.0.0 allows authenticated remote attackers to execute arbitrary commands as the web server user via Git operations in the PHP backend. The Git.php library passes unsanitized input into proc_open() across 16 of 17 shell-invoking functions, with only commit() correctly using escapeshellarg(). No public exploit identified at time of analysis, though the vendor advisory describes a clear chain to full RCE when combined with configuration manipulation.

PHP RCE Command Injection
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.

Command Injection Termix
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.

Command Injection Termix
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.

Command Injection Termix
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in Markdown Preview Enhanced before 0.8.28 on Windows allows attackers to inject OS commands through crafted markdown documents that abuse the diagram filename attribute, imported file paths, or the latex_engine code-chunk attribute, all of which were passed through a shell without validation. Exploitation requires the victim to preview the malicious document (UI:A), and no public exploit identified at time of analysis, though VulnCheck-published advisory details and a tagged fix release make weaponization straightforward.

Microsoft Command Injection
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

OS command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary shell commands on the device via the IMEI_value parameter of the /boafrm/formIMEISetup endpoint. The vulnerable function sub_412DA0 fails to sanitize attacker-controlled input before passing it to an OS-level command, granting low-privilege network access sufficient to achieve code execution with the confidence of a partial proof-of-concept. A publicly available exploit has been disclosed on GitHub, elevating practical risk beyond the CVSS 6.3 score alone.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0%
CRITICAL POC PATCH Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection +2
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the `ussdValue` parameter of the `/boafrm/formUSSDSetup` endpoint, processed by the vulnerable `sub_41CF20` function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. A public proof-of-concept exploit is available on GitHub, materially elevating practical risk above what the moderate CVSS score of 6.3 suggests; no public exploit identified at time of analysis maps to confirmed active exploitation (not in CISA KEV).

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.

RCE Command Injection Suse
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.

Code Injection Command Injection Rutos +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

OS command injection in HCL Digital Experience 9.5 allows authenticated remote attackers to execute arbitrary operating system commands through the Digital Asset Management API, inheriting the privileges of the application service account and potentially achieving full host takeover and data compromise. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact over a network vector with low attack complexity and only low privileges required, though no public exploit identified at time of analysis. The vulnerability was disclosed by the vendor (HCL) and is tracked in ENISA's EUVD as EUVD-2026-34786.

Command Injection Digital Experience
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70 allows a low-privileged, remote-authenticated attacker to inject OS commands via the action_value parameter in the SMS management endpoint /boafrm/formSmsManage. The vulnerability resides in the C function sub_41C8E8 and stems from unsanitized user input being passed directly to a command interpreter (CWE-77). A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation despite the absence of CISA KEV listing.

D-Link Command Injection
NVD VulDB GitHub
EPSS 0% 4.6 CVSS 7.8
HIGH POC KEV THREAT Act Now

Local privilege escalation in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated netadmin user to execute arbitrary commands as root by uploading a crafted file through the CLI. Cisco has observed limited real-world exploitation that resulted in unauthorized configuration changes being pushed to downstream edge devices, though the issue is not currently listed in CISA KEV and no public exploit code has been identified at time of analysis.

Command Injection Cisco
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 firmware allows authenticated remote attackers to execute arbitrary operating system commands by manipulating input to the rstats_path function within the /bin/rstats binary exposed via the Web UI. Publicly available exploit code exists per the Gitee advisory disclosed through VulDB, and the affected project is end-of-life - superseded by FreshTomato - meaning no upstream vendor patch is forthcoming. CVSS 4.0 base score is 7.3 with high privileges required but high confidentiality, integrity, and availability impact on the router.

Command Injection Tomato
NVD VulDB
EPSS 0% CVSS 7.3
HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_vpnserver function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists, and the project is end-of-life - superseded by FreshTomato - meaning no upstream patch is forthcoming. The CVSS 4.0 score of 7.3 reflects high impact on confidentiality, integrity, and availability, but high privileges are required to trigger the flaw.

Command Injection Tomato
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot allows an authenticated attacker with low privileges to execute arbitrary code across a scope-changing trust boundary, leading to high confidentiality impact and limited integrity and availability impact. The flaw stems from improper neutralization of special elements (CWE-77) within the Copilot service and is rated CVSS 7.7 with high attack complexity. No public exploit identified at time of analysis, and the EPSS signal is not provided in the source intelligence.

Microsoft Command Injection
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH NO ACTION HOSTED Monitor

Information disclosure in Microsoft 365 Copilot allows remote unauthenticated attackers to exfiltrate data via command injection (CWE-77) over the network. Microsoft reported the issue (CVE-2026-42824) with a CVSS 3.1 base score of 7.5 reflecting high confidentiality impact only, and publicly available exploit code exists though it is not listed in CISA KEV. EPSS is very low at 0.08% (24th percentile) and the CISA SSVC decision framework rates exploitation as 'none' and automatable as 'no', suggesting realistic exploitation is currently limited despite the POC.

Command Injection Microsoft 365 Copilot
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary shell commands by manipulating the ipv6_6rd_borderrelay argument processed by the start_6rd_tunnel function in /sbin/rc via the Web UI. Publicly available exploit code exists per VulDB disclosure, and the project is end-of-life - superseded by FreshTomato - meaning no upstream fix is expected.

Command Injection Tomato
NVD VulDB
EPSS 1%
CRITICAL PATCH Act Now

Command injection in stata-mcp (MCP-for-Stata) versions prior to 1.17.3 allows attackers to execute arbitrary Stata commands - including the `shell` directive - by supplying a crafted `log_file_name` parameter to the `stata_do` MCP tool or CLI. The flaw bypasses the existing `GuardValidator` security control, which only inspects do-file content and never examines wrapper parameters, enabling remote code execution and arbitrary file writes via path traversal. Publicly available exploit code exists in the GHSA advisory PoC, though no public exploit identified at time of analysis indicates in-the-wild abuse.

Python RCE Path Traversal +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_dhcpc function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists per the VulDB advisory. The project has been discontinued and superseded by FreshTomato, meaning no upstream fix from the original maintainer is expected.

Command Injection Tomato
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Command injection in nvm (Node Version Manager) versions through 0.40.4 allows attackers controlling the configured Node.js/io.js mirror to execute arbitrary shell commands as the user running nvm. Mirror-supplied version strings flow unsanitized into an `eval`'d curl/wget invocation in `nvm_download()` and into an awk program in `nvm_get_checksum()`, enabling injection via constructs like `$(id)`. No public exploit is identified at time of analysis, but the GitHub Security Advisory (GHSA-3c52-35h2-gfmm) and committed regression tests demonstrate the bug class, and CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) reflects that the default TLS-protected nodejs.org mirror is unaffected.

Node.js Command Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster +3
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Authenticated remote command injection in GX Earth ONT (Optical Network Terminal) devices allows attackers with valid web management credentials to execute arbitrary OS commands as root via multiple diagnostic functions in the device's web interface. The flaw, reported by CERT-In and tracked as CIVN-2026-0288, carries a CVSS 4.0 score of 8.7 (High) reflecting low attack complexity and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

RCE Command Injection
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Command injection in the Supermicro AS-2115HS-TNR BMC's SMTP service allows an authenticated administrator to inject crafted characters into the SMTP configuration, causing the underlying system to execute unintended OS commands during process invocation. Successful exploitation can yield arbitrary code execution on the baseboard management controller, denial of service, or persistent compromise of the management plane. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Command Injection As 2115Hs Tnr
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Command injection in Acer Connect M6E 5G Portable WiFi Router allows authenticated adjacent-network attackers to execute arbitrary OS commands by submitting VPN network profile configuration files containing unsanitized special characters. The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the router, though exploitation requires high privileges and adjacent (not internet-facing) network access. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Command injection in the Acer Connect M6E 5G Portable WiFi Router allows authenticated remote attackers to install arbitrary applications or execute operating system commands by abusing internal operation codes (opcodes) whose permission checks are not properly enforced. The flaw carries a CVSS 4.0 score of 9.4 (Critical) due to network reach, low attack complexity, and scope-changing impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.

Privilege Escalation Command Injection Red Hat +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote command injection in Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) allows attackers to inject OS commands via the FieldX MDM adb messaging topic, which forwards unverified payloads to Runtime.exec(). The CVSS 4.0 score of 10.0 with network attack vector and no authentication required indicates a critical, trivially exploitable flaw; no public exploit identified at time of analysis but the simplicity of the bug pattern makes weaponization straightforward.

Command Injection Connect M6E 5G Portable Wifi Router
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.

Command Injection Bosh Director
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.

Command Injection Bosh
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Unauthenticated remote command execution affects T3 Technology CPE routers (models T625Pro v1.0.07 and T6825G v1.0.03) through an undocumented debug CGI endpoint that processes attacker-supplied query strings as root-level shell commands. SSVC characterizes this as POC-available with total technical impact, and a public advisory has been published on GitHub, though it is not currently listed in CISA KEV.

Command Injection N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

OS command injection in the Neterbit NW-431F Router (firmware 20241014-IR03 and earlier) allows remote unauthenticated attackers to execute arbitrary commands via the ping diagnostic module's IP address field. With a CVSS of 9.8 and a low-complexity network attack vector, exploitation runs with web-server privileges and no public exploit has been identified at time of analysis, though a researcher-published reference on GitHub may contain technical details.

Command Injection
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Remote code execution and information disclosure in Neterbit NW-431F routers (firmware vNW-431F-20241014-IR03) allow unauthenticated network attackers to compromise the device by sending a crafted command to the at_command.asp interface. The CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against the router's web management interface, and no public exploit identified at time of analysis, though a researcher repository on GitHub may contain proof-of-concept material.

RCE Command Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote command execution in openlabs docker-wkhtmltopdf-aas (up to commit 9f50579) allows unauthenticated attackers to run arbitrary OS commands by sending a crafted POST request to the app.py PDF conversion endpoint. The CVSS 9.8 rating reflects network-reachable, no-privilege, no-interaction exploitation, and while no public exploit identified at time of analysis, the referenced source line (app.py#L40) makes the injection sink trivially discoverable for any attacker reviewing the repository.

Docker Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.

Java Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 8.0
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft SharePoint Server (2016 Enterprise, 2019, and Subscription Edition) allows an authenticated attacker to execute arbitrary code on the server by submitting crafted serialized data that triggers unsafe deserialization. The CVSS 8.0 vector requires low privileges and user interaction, and no public exploit is identified at time of analysis. The flaw is significant because SharePoint servers typically run with high privileges inside enterprise environments and frequently host sensitive collaboration data.

Microsoft Command Injection Deserialization +3
NVD
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in wezterm-mcp 0.1.0 allows a remotely authenticated attacker with low privileges to execute arbitrary shell commands by supplying a crafted pane_id argument to the switch_pane or write_to_specific_pane MCP tool handlers. The unsanitized parameter is passed directly to a shell invocation in src/wezterm_executor.ts, giving an MCP client - such as an AI assistant or automation pipeline - the ability to break out of intended terminal pane management and run arbitrary commands in the host user's context. Publicly available exploit code exists per a GitHub issue report; no patch has been released as the vendor has not responded to the disclosure.

Command Injection Wezterm Mcp
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

launch-editor allows users to open files with line numbers in editor from Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Microsoft Command Injection +2
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

OS command injection in PHP Censor through 2.1.6 allows remote attackers to execute arbitrary shell commands by submitting a crafted commitId value to the webhook endpoint handled by src/Model/Build/GitBuild.php. The unsanitized commitId (and branch name) is interpolated into shell command strings passed to git log and clone operations, and publicly available exploit code exists per VulDB. No CISA KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active in the wild.

Command Injection PHP
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

OS command injection in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers to execute arbitrary shell commands inside the sandbox container by supplying a crafted file path to the write_file tool. The flaw exists in FsBridge.WriteFile (internal/sandbox/fsbridge.go), which interpolated the destination path into a shell command (`sh -c "cat > <path>"`) executed via docker exec, letting shell metacharacters such as `$(...)` break out of the intended write operation. Publicly available exploit code exists and the upstream patch is still pending merge at the time of analysis, raising real-world risk despite a moderate 7.3 CVSS.

Command Injection Goclaw
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

OS command injection in zhayujie chatgpt-on-wechat (also known as CowAgent) versions up to and including 2.0.8 allows remote attackers to execute arbitrary operating system commands by abusing the _get_safety_warning function within the Bash Tool component (agent/tools/bash/bash.py). Publicly available exploit code exists for this issue, increasing the likelihood of opportunistic abuse, though it is not currently listed in CISA KEV. The vendor has released version 2.0.9 (commit 16d9b449c9aa53ccee44144a762a2737d7ba4fc4) addressing the flaw.

Command Injection Chatgpt On Wechat
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows remote low-privileged attackers to execute arbitrary OS commands by manipulating the `enrollee` parameter in the `/goform/formWlanSetup` wireless configuration handler. The product reached end-of-life in 2009, and TRENDnet has formally and explicitly declined to issue a patch, leaving all deployed units permanently unpatched with no vendor remediation path. Publicly available exploit code exists on GitHub, materially lowering the exploitation barrier, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

Command Injection Tew 432Brp
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 enables remote attackers with low-privilege credentials to execute arbitrary OS commands by injecting shell metacharacters into the sysCmd parameter of the /goform/formSysCmd endpoint. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. The vendor has confirmed no patch will be released - the device has been end-of-life since 2009 - meaning any remaining deployed units are permanently unpatched.

Command Injection Tew 432Brp
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6478AC firmware 1.23 allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the `rootAPmac` parameter in a POST request to the `/goform/formWlbasic` endpoint. The vulnerable function `formWlbasic` passes unsanitized input directly to a system-level command, a pattern common in consumer embedded router firmware. A public proof-of-concept exploit has been disclosed, lowering the technical bar for exploitation; no vendor-released patch has been identified at time of analysis.

Command Injection Br 6478Ac
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Authenticated command injection in Edimax BR-6478AC 1.23 firmware allows network-adjacent attackers with low-privilege credentials to execute arbitrary OS commands via the rootAPmac parameter in the formStaDrvSetup POST handler at /goform/formStaDrvSetup. The CVSS temporal vector confirms a public proof-of-concept (E:P) with reasonable confidence in the report (RC:R), while remediation level remains undefined (RL:X), indicating no vendor patch has been publicly acknowledged. No public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but publicly available exploit code exists, elevating practical risk for deployed devices.

Command Injection Br 6478Ac
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.

Command Injection Node.js RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Command Injection Intellij Idea
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.

Command Injection Dokploy
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. No public exploit identified at time of analysis, but the root cause is documented in the vendor's GHSA advisory.

Docker Command Injection
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.

Command Injection Dokploy
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.

Command Injection Dokploy
NVD GitHub
Prev Page 4 of 87 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy