Command Injection
Monthly
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. [CVSS 7.2 HIGH]
Tenda W20E router has a code injection vulnerability in usbPartitionName parameter allowing unauthenticated remote code execution with EPSS 1.1%.
OS command injection in openDCIM 23.04 through commit 4467e9c4 via report_network_map.php allows authenticated users to execute arbitrary commands. EPSS 0.57% with PoC and patch available.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
OS command injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote attackers to execute arbitrary commands on industrial refrigeration control systems. CVSS 9.8.
Remote code execution in Red Hat Satellite's rubyipmi BMC component allows authenticated users with host creation or update permissions to execute arbitrary code by injecting malicious input into the BMC username field. An attacker with these privileges can compromise the underlying system through command injection. No patch is currently available for this vulnerability.
Command injection in TOTOLINK N300RH router firmware 6.1c.1353 via setDiagnosisCfg handler. EPSS 4.0% with PoC available — high exploitation probability for consumer routers.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Unauthenticated OS command injection in Copeland XWEB Pro HVAC controller version 1.12.1 and prior. EPSS 0.96% indicates real exploitation risk for internet-exposed building automation systems.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.
Zen C is a systems programming language that compiles to human-readable GNU C/C11. [CVSS 6.6 MEDIUM]
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.
OS command injection via TLS-SRP update functionality. Third TLS-SRP injection CVE — command injection through the credential update mechanism.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands on the monitoring server. PoC and patch available.
Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.
OS command injection via TLS-SRP handshake. Similar to CVE-2026-27847 but targeting command execution through the SRP authentication process.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
Authenticated attackers can achieve remote code execution on Binardat 10G08-0800GSM network switches by injecting the %1a character into the traceroute hostname parameter on the web management interface, allowing arbitrary CLI command execution. The vulnerability affects firmware version V300SP10260209 and earlier, and currently has no available patch. This requires valid web interface credentials but poses significant risk due to its high severity rating and network-accessible attack vector.
Command injection in exiftool's PNG file parser on macOS allows remote attackers to execute arbitrary OS commands by manipulating the DateTimeOriginal argument in the SetMacOSTags function. Public exploit code exists for this vulnerability, and affected users should upgrade to version 13.50 or later to remediate the issue.
OS command injection in the Ping Handler component of Intelbras TIP 635G firmware (version 1.12.3.5) enables authenticated attackers to execute arbitrary system commands remotely. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Affected devices remain exploitable until the vendor releases a security update.
OS command injection in bleon-ethical/api-gateway-deploy npm package version 1.0.0. Attack chain enables remote code execution through crafted API gateway deployment configuration.
Hummerrisk versions up to 1.5.0. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in HummerRisk up to version 1.5.0 allows authenticated remote attackers to execute arbitrary commands through the Cloud Task Dry-run feature by manipulating the fileName parameter in CloudTaskService.java. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve remote code execution with limited impact on confidentiality, integrity, and availability.
HummerRisk versions up to 1.5.0 contain a command injection vulnerability in the Cloud Task Scheduler component where the regionId parameter is insufficiently validated, allowing authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early disclosure notification. An authenticated attacker can exploit this to achieve remote code execution with limited scope impact.
yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]
Zyxel VMG3625-T50B, DX5401 B1, and EMG5523 T50B devices with firmware through version 5.50(ABPM.9.7)C0 contain a post-authentication command injection vulnerability in the TR-369 certificate download function that allows authenticated administrators to execute arbitrary operating system commands. An attacker with admin credentials could leverage this to gain complete control over the affected device. No patch is currently available.
A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device. [CVSS 8.8 HIGH]
Command injection in Zyxel EX3510-B0 router UPnP functionality via firmware versions through 5.17. Allows remote code execution through the UPnP service.
Command injection in DrayTek Vigor 300B firmware up to version 1.5.1.6 allows authenticated remote attackers to execute arbitrary OS commands via the File parameter in the web management interface. Public exploit code exists for this vulnerability, though the vendor has confirmed the product is end-of-life and no patch will be released. This affects only unsupported installations with administrative access.
X6000R Firmware versions up to 9.4.0cu.1498_b20250826 is affected by os command injection (CVSS 8.8).
X5000R Firmware versions up to 9.1.0cu.2415_b20250515 is affected by os command injection (CVSS 8.0).
Unauthenticated remote attackers can execute arbitrary commands on dst-admin versions up to 1.5.0 by manipulating the Name parameter in the revertBackup function at /home/restore endpoint. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.
Remote code execution in Vaelsys 4.1.0 allows unauthenticated attackers to execute arbitrary OS commands via malicious xajaxargs parameters sent to the /tree/tree_server.php endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. This network-accessible flaw poses immediate risk to exposed Vaelsys installations.
Remote code execution in Tosei Online Store Management System 1.01 allows unauthenticated attackers to execute arbitrary OS commands through the DevId parameter in /cgi-bin/monitor.php. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no user interaction and is exploitable over the network.
OpenClaw AI assistant on macOS versions 2026.2.13 and earlier is vulnerable to command injection through the credential refresh mechanism, which improperly handles user-controlled OAuth tokens when constructing shell commands for Keychain operations. An authenticated attacker with local access could exploit this to execute arbitrary OS commands with the privileges of the application user. The vulnerability has been patched in version 2026.2.14.
Moodle's TeX filter fails to properly sanitize administrative configuration inputs, enabling command injection on systems with ImageMagick installed. An authenticated administrator can inject arbitrary system commands through a malicious TeX filter setting, achieving code execution with the privileges of the Moodle server process. No patch is currently available, and exploitation requires administrative access but could compromise the entire Moodle installation.
Remote code execution in Nagios Xi through command injection in the esensors_websensor_configwizard_func method allows authenticated attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system calls. With a CVSS score of 8.8 and no patch currently available, this poses a significant risk to authenticated users of affected Nagios installations.
Remote code execution in Nagios Xi's monitoringwizard module allows authenticated attackers to execute arbitrary commands through insufficient input validation in system calls. An attacker with valid credentials can exploit this command injection vulnerability to gain code execution with service account privileges on affected installations. No patch is currently available for this high-severity vulnerability.
Nagios Xi for iOS is vulnerable to command injection in the zabbixagent_configwizard_func method due to insufficient input validation, allowing authenticated attackers to execute arbitrary code with service account privileges. The vulnerability requires valid credentials but no user interaction to exploit, and no patch is currently available. Exploitation could grant attackers full system access on affected Nagios installations.
Remote code execution in Deciso OPNsense's backup functionality allows authenticated network-adjacent attackers to execute arbitrary commands with root privileges through insufficient input validation in the diag_backup.php file. An attacker with valid credentials can inject malicious commands into backup filename parameters to achieve code execution on the affected system. No patch is currently available for this vulnerability.
Unauthenticated command injection in thesystem 1.0. EPSS 3.4%. PoC available.
Liquid Prompt is an adaptive prompt for Bash and Zsh. [CVSS 6.3 MEDIUM]
Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.
Unauthenticated OS command injection in PROLiNK PRC2402M router via ip parameter. EPSS 0.39%.
Command injection in Owl OPDS 2.2.0.4 — duplicate of CVE-2026-26093.
Command injection in Owl OPDS 2.2.0.4. EPSS 0.29%.
Remote code execution in UTT HiPER 520 Firmware 1.7.7-160105 allows unauthenticated attackers to inject arbitrary OS commands through the Isp_Name parameter in the web management interface. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can achieve full system compromise by sending a specially crafted request to the /goform/formReleaseConnect endpoint.
Remote command injection in UTT HiPer 520 Firmware 1.7.7-160105 web management interface allows unauthenticated attackers to execute arbitrary OS commands through the policyNames parameter. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.
Cf-E7 Firmware versions up to 2.6.0.9 contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in Comfast CF-E7 firmware versions 2.6.0.9 and earlier allows remote authenticated attackers to execute arbitrary commands through the timestr parameter in the NTP timezone configuration function. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. An attacker with valid credentials can achieve remote code execution with medium impact on confidentiality, integrity, and availability.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
Command injection in RustFly 2.0.0 via hex-encoded UDP instructions on port 5005. The remote UI control mechanism accepts and executes commands without validation.
Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. Public exploit code exists for this vulnerability; a patch is available.
Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.
Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary commands.
Command injection in SECCN Dingcheng G10 3.1.0.181203 router via session_login.cgi. PoC available.
Unauthenticated remote attackers can achieve OS command injection through the delete_file parameter in Advantech WISE-6610's OpenVPN management interface (/cgi-bin/luci/admin/openvpn_apply), enabling arbitrary command execution with high privileges. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires high-level privileges but involves minimal complexity and poses significant risks to confidentiality, integrity, and availability.
Saturn Remote Mouse Server on local networks is vulnerable to unauthenticated command injection through specially crafted UDP JSON packets sent to port 27000, enabling attackers to execute arbitrary code with service account privileges. Affected systems lack input validation on command parameters, allowing network-adjacent threat actors to achieve remote code execution without authentication. No patch is currently available for this high-severity vulnerability.
Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. [CVSS 7.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. [CVSS 7.2 HIGH]
Tenda W20E router has a code injection vulnerability in usbPartitionName parameter allowing unauthenticated remote code execution with EPSS 1.1%.
OS command injection in openDCIM 23.04 through commit 4467e9c4 via report_network_map.php allows authenticated users to execute arbitrary commands. EPSS 0.57% with PoC and patch available.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
OS command injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote attackers to execute arbitrary commands on industrial refrigeration control systems. CVSS 9.8.
Remote code execution in Red Hat Satellite's rubyipmi BMC component allows authenticated users with host creation or update permissions to execute arbitrary code by injecting malicious input into the BMC username field. An attacker with these privileges can compromise the underlying system through command injection. No patch is currently available for this vulnerability.
Command injection in TOTOLINK N300RH router firmware 6.1c.1353 via setDiagnosisCfg handler. EPSS 4.0% with PoC available — high exploitation probability for consumer routers.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Unauthenticated OS command injection in Copeland XWEB Pro HVAC controller version 1.12.1 and prior. EPSS 0.96% indicates real exploitation risk for internet-exposed building automation systems.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.
Zen C is a systems programming language that compiles to human-readable GNU C/C11. [CVSS 6.6 MEDIUM]
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.
OS command injection via TLS-SRP update functionality. Third TLS-SRP injection CVE — command injection through the credential update mechanism.
OS command injection in OneUptime monitoring platform before 10.0.7. Authenticated users can execute arbitrary commands on the monitoring server. PoC and patch available.
Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.
OS command injection via TLS-SRP handshake. Similar to CVE-2026-27847 but targeting command execution through the SRP authentication process.
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
Authenticated attackers can achieve remote code execution on Binardat 10G08-0800GSM network switches by injecting the %1a character into the traceroute hostname parameter on the web management interface, allowing arbitrary CLI command execution. The vulnerability affects firmware version V300SP10260209 and earlier, and currently has no available patch. This requires valid web interface credentials but poses significant risk due to its high severity rating and network-accessible attack vector.
Command injection in exiftool's PNG file parser on macOS allows remote attackers to execute arbitrary OS commands by manipulating the DateTimeOriginal argument in the SetMacOSTags function. Public exploit code exists for this vulnerability, and affected users should upgrade to version 13.50 or later to remediate the issue.
OS command injection in the Ping Handler component of Intelbras TIP 635G firmware (version 1.12.3.5) enables authenticated attackers to execute arbitrary system commands remotely. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Affected devices remain exploitable until the vendor releases a security update.
OS command injection in bleon-ethical/api-gateway-deploy npm package version 1.0.0. Attack chain enables remote code execution through crafted API gateway deployment configuration.
Hummerrisk versions up to 1.5.0. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in HummerRisk up to version 1.5.0 allows authenticated remote attackers to execute arbitrary commands through the Cloud Task Dry-run feature by manipulating the fileName parameter in CloudTaskService.java. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve remote code execution with limited impact on confidentiality, integrity, and availability.
HummerRisk versions up to 1.5.0 contain a command injection vulnerability in the Cloud Task Scheduler component where the regionId parameter is insufficiently validated, allowing authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early disclosure notification. An authenticated attacker can exploit this to achieve remote code execution with limited scope impact.
yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]
Zyxel VMG3625-T50B, DX5401 B1, and EMG5523 T50B devices with firmware through version 5.50(ABPM.9.7)C0 contain a post-authentication command injection vulnerability in the TR-369 certificate download function that allows authenticated administrators to execute arbitrary operating system commands. An attacker with admin credentials could leverage this to gain complete control over the affected device. No patch is currently available.
A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device. [CVSS 8.8 HIGH]
Command injection in Zyxel EX3510-B0 router UPnP functionality via firmware versions through 5.17. Allows remote code execution through the UPnP service.
Command injection in DrayTek Vigor 300B firmware up to version 1.5.1.6 allows authenticated remote attackers to execute arbitrary OS commands via the File parameter in the web management interface. Public exploit code exists for this vulnerability, though the vendor has confirmed the product is end-of-life and no patch will be released. This affects only unsupported installations with administrative access.
X6000R Firmware versions up to 9.4.0cu.1498_b20250826 is affected by os command injection (CVSS 8.8).
X5000R Firmware versions up to 9.1.0cu.2415_b20250515 is affected by os command injection (CVSS 8.0).
Unauthenticated remote attackers can execute arbitrary commands on dst-admin versions up to 1.5.0 by manipulating the Name parameter in the revertBackup function at /home/restore endpoint. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.
Remote code execution in Vaelsys 4.1.0 allows unauthenticated attackers to execute arbitrary OS commands via malicious xajaxargs parameters sent to the /tree/tree_server.php endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. This network-accessible flaw poses immediate risk to exposed Vaelsys installations.
Remote code execution in Tosei Online Store Management System 1.01 allows unauthenticated attackers to execute arbitrary OS commands through the DevId parameter in /cgi-bin/monitor.php. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no user interaction and is exploitable over the network.
OpenClaw AI assistant on macOS versions 2026.2.13 and earlier is vulnerable to command injection through the credential refresh mechanism, which improperly handles user-controlled OAuth tokens when constructing shell commands for Keychain operations. An authenticated attacker with local access could exploit this to execute arbitrary OS commands with the privileges of the application user. The vulnerability has been patched in version 2026.2.14.
Moodle's TeX filter fails to properly sanitize administrative configuration inputs, enabling command injection on systems with ImageMagick installed. An authenticated administrator can inject arbitrary system commands through a malicious TeX filter setting, achieving code execution with the privileges of the Moodle server process. No patch is currently available, and exploitation requires administrative access but could compromise the entire Moodle installation.
Remote code execution in Nagios Xi through command injection in the esensors_websensor_configwizard_func method allows authenticated attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system calls. With a CVSS score of 8.8 and no patch currently available, this poses a significant risk to authenticated users of affected Nagios installations.
Remote code execution in Nagios Xi's monitoringwizard module allows authenticated attackers to execute arbitrary commands through insufficient input validation in system calls. An attacker with valid credentials can exploit this command injection vulnerability to gain code execution with service account privileges on affected installations. No patch is currently available for this high-severity vulnerability.
Nagios Xi for iOS is vulnerable to command injection in the zabbixagent_configwizard_func method due to insufficient input validation, allowing authenticated attackers to execute arbitrary code with service account privileges. The vulnerability requires valid credentials but no user interaction to exploit, and no patch is currently available. Exploitation could grant attackers full system access on affected Nagios installations.
Remote code execution in Deciso OPNsense's backup functionality allows authenticated network-adjacent attackers to execute arbitrary commands with root privileges through insufficient input validation in the diag_backup.php file. An attacker with valid credentials can inject malicious commands into backup filename parameters to achieve code execution on the affected system. No patch is currently available for this vulnerability.
Unauthenticated command injection in thesystem 1.0. EPSS 3.4%. PoC available.
Liquid Prompt is an adaptive prompt for Bash and Zsh. [CVSS 6.3 MEDIUM]
Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.
Unauthenticated OS command injection in PROLiNK PRC2402M router via ip parameter. EPSS 0.39%.
Command injection in Owl OPDS 2.2.0.4 — duplicate of CVE-2026-26093.
Command injection in Owl OPDS 2.2.0.4. EPSS 0.29%.
Remote code execution in UTT HiPER 520 Firmware 1.7.7-160105 allows unauthenticated attackers to inject arbitrary OS commands through the Isp_Name parameter in the web management interface. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can achieve full system compromise by sending a specially crafted request to the /goform/formReleaseConnect endpoint.
Remote command injection in UTT HiPer 520 Firmware 1.7.7-160105 web management interface allows unauthenticated attackers to execute arbitrary OS commands through the policyNames parameter. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.
Cf-E7 Firmware versions up to 2.6.0.9 contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in Comfast CF-E7 firmware versions 2.6.0.9 and earlier allows remote authenticated attackers to execute arbitrary commands through the timestr parameter in the NTP timezone configuration function. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. An attacker with valid credentials can achieve remote code execution with medium impact on confidentiality, integrity, and availability.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
Command injection in RustFly 2.0.0 via hex-encoded UDP instructions on port 5005. The remote UI control mechanism accepts and executes commands without validation.
Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. Public exploit code exists for this vulnerability; a patch is available.
Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.
Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary commands.
Command injection in SECCN Dingcheng G10 3.1.0.181203 router via session_login.cgi. PoC available.
Unauthenticated remote attackers can achieve OS command injection through the delete_file parameter in Advantech WISE-6610's OpenVPN management interface (/cgi-bin/luci/admin/openvpn_apply), enabling arbitrary command execution with high privileges. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires high-level privileges but involves minimal complexity and poses significant risks to confidentiality, integrity, and availability.
Saturn Remote Mouse Server on local networks is vulnerable to unauthenticated command injection through specially crafted UDP JSON packets sent to port 27000, enabling attackers to execute arbitrary code with service account privileges. Affected systems lack input validation on command parameters, allowing network-adjacent threat actors to achieve remote code execution without authentication. No patch is currently available for this high-severity vulnerability.
Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. [CVSS 7.8 HIGH]