OS Command Injection

A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mode causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tz results in os command injection. The attack can be executed remotely. The exploit is now public and may be used.

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wanIdx can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'merge' parameter in the setWiFiEasyCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new2), enabling trivial exploitation against internet-facing devices. CVSS 8.9 reflects network attack vector with no authentication required (AV:N/PR:N), and EPSS data suggests moderate real-world exploitation probability given the POC availability and low attack complexity.

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via crafted addrPrefixLen parameter to the setIpv6LanCfg function in /cgi-bin/cstecgi.cgi. CVSS 8.9 (High) with CVSS:4.0 vector indicating network-accessible, low-complexity attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), enabling weaponization by threat actors. Not currently listed in CISA KEV, suggesting limited observed exploitation despite public disclosure and high severity scoring.

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'enable' parameter in the setUPnPCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed), increasing immediate risk for exposed devices. EPSS data not available, but CVSS 8.9 with network vector (AV:N), no authentication (PR:N), and low complexity (AC:L) indicates trivial remote exploitation against default configurations.

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'wizard' parameter in the setWizardCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector (AV:N), no authentication (PR:N), low complexity (AC:L), and published POC indicates elevated real-world risk for internet-exposed devices.

OS command injection in Tenda HG3 router version 2.0 allows authenticated remote attackers to execute arbitrary commands with device privileges via the 'countrystr' parameter in /boaform/formCountrystr endpoint. Public exploit code exists (CVSS 4.0 E:P modifier confirms POC availability), enabling authenticated attackers to fully compromise router confidentiality, integrity, and availability. EPSS data unavailable; not currently in CISA KEV catalog, suggesting exploitation may be targeted rather than widespread despite public POC.

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the setIptvCfg parameter in /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector and no authentication required. Public exploit code available on GitHub since disclosure, significantly lowering exploitation barrier for attackers targeting internet-facing consumer routers. No vendor patch identified for this end-of-life device at time of analysis.

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.   Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.                                                                                                                                                                         Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.

Command injection in Tenda F456 1.0.0.5 httpd allows authenticated remote attackers to execute arbitrary commands via the mac parameter in the /goform/WriteFacMac endpoint. The vulnerability has a publicly available exploit and CVSS 5.3 score with authenticated access requirement (PR:L), limiting immediate widespread risk but affecting exposed or compromised administrative accounts.

OS command injection in Tenda HG3 router version 2.0 (build 300003070) allows authenticated remote attackers to execute arbitrary system commands with router privileges via the fmgpon_loid parameter in the formgponConf administrative function. Public exploit code is available and confirmed usable for attacks per VulDB reporting, significantly lowering the skill barrier for exploitation despite requiring valid administrative credentials.

Command injection in D-Link DIR-822 A_101 udhcpd DHCP service allows remote unauthenticated attackers to execute arbitrary commands via a malicious Hostname parameter in DHCP requests. The vulnerability affects an end-of-life product with publicly disclosed exploit code available, creating significant risk for organizations unable to migrate away from legacy hardware.

Command injection in LogonTracer versions prior to 2.0.0 allows authenticated users to execute arbitrary OS commands on the server. LogonTracer, a JPCERT/CC-developed log analysis tool for investigating lateral movement in Windows Active Directory environments, contains an insufficiently sanitized input handler that permits shell command injection. Authentication is required (PR:L), but once logged in, attackers can achieve complete system compromise with high confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H). No active exploitation confirmed at time of analysis, though the CVSS 4.0 score of 8.7 and low attack complexity (AC:L) indicate significant risk for organizations running vulnerable versions.

A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.

Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.

Remote OS command injection in simple-openstack-mcp allows unauthenticated attackers to execute arbitrary system commands via the exec_openstack function in server.py. The vulnerability affects all deployments up to commit 767b2f4a8154cca344344b9725537a58399e6036, with confirmed publicly available exploit code (GitHub issue #3). CVSS 7.3 severity reflects network attack vector with no authentication required, enabling direct system compromise. Project maintainer has not responded to vulnerability disclosure at time of analysis.

Remote unauthenticated attackers can inject arbitrary operating system commands through the browser-connector.ts file in AgentDeskAI browser-tools-mcp versions up to 1.2.0, leading to command execution with application privileges. The vulnerability stems from improper input sanitization in file browser processing and has been published with publicly available exploit code; the vendor has been notified but has not yet released a patch.

OS command injection in Intina47 context-sync through version 2.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via the Git integration module (src/git-integration.ts). CVSS 7.3 with network attack vector and no authentication required indicates significant exposure. Publicly available exploit code exists (wing3e/public_exp repository), though no CISA KEV listing suggests exploitation remains limited to proof-of-concept demonstrations rather than widespread campaigns. EPSS data unavailable, but the combination of network exposure, authentication bypass, and public exploit warrants immediate remediation priority for organizations using this synchronization tool.

OS command injection in Toowiredd chatgpt-mcp-server up to version 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands through the Docker service component. The vulnerability exists in src/services/docker.service.ts within the MCP/HTTP interface and has publicly available exploit code. The vendor has been notified but has not yet released a patch.

Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.

Command injection in ssh-mcp versions up to 1.5.0 allows authenticated local users to execute arbitrary OS commands via the Description parameter to the shell.write function in src/index.ts. Publicly available exploit code exists (GitHub issue #44) demonstrating the vulnerability. Despite CVSS 7.1 severity, real-world risk is moderate due to local-only attack vector and low EPSS score (0.06%, 18th percentile), indicating minimal observed exploitation attempts. Vendor has not responded to early disclosure via issue report.

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 enables remote unauthenticated attackers to execute arbitrary system commands via the pptpPassThru parameter in the setVpnPassCfg function. Public exploit code exists on GitHub, dramatically lowering the barrier to exploitation. CVSS v4.0 base score of 8.9 reflects network attack vector, low complexity, and no authentication requirements, with high impact to confidentiality, integrity, and availability of the vulnerable device.

OS command injection in Linksys MR9600 router firmware 2.0.6.206937 allows authenticated administrators to execute arbitrary system commands via crafted 'pin' parameter to the BTRequestGetSmartConnectStatus JNAP action handler. Publicly available exploit code exists (CVSS E:P), enabling remote compromise of router with full system-level access. Vendor notified but unresponsive, leaving users without confirmed patch. EPSS data not available; CVSS 7.3 severity reflects high impact limited by high privilege requirement (PR:H).

Command injection in Tenda F453 firmware up to version 1.0.0.3 allows authenticated remote attackers to execute arbitrary system commands via the TendaTelnet function in the /goform/telnet endpoint. The vulnerability has publicly available exploit code and may be actively used against deployed devices. Attack requires low-privilege authentication but carries significant risk due to the telnet service's direct command execution capability.

Remote command injection in PicoClaw Web Launcher Management Plane (versions up to 0.2.4) allows unauthenticated attackers to execute arbitrary system commands via the /api/gateway/restart endpoint. CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication. Proof-of-concept code exists (CVSS:E:P). Vendor has not responded to responsible disclosure (reported via GitHub issue #2307), indicating no official patch is available. The Web Launcher Management Plane component suggests this affects administrative/control interfaces, making it a high-priority target for internet-exposed deployments.

Remote command injection in GitPilot-MCP allows unauthenticated attackers to execute arbitrary system commands via the repo_path function in main.py. The vulnerability affects all versions up to commit 9ed9f153ba4158a2ad230ee4871b25130da29ffd, with publicly available exploit code demonstrating practical exploitation. CVSS 7.3 (High) with network vector and no authentication required indicates significant exposure, though CVSS impact ratings (L/L/L) suggest attackers may have limited privileges in command execution context.

Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.

Authenticated local users can execute arbitrary code on Windows, macOS, and Linux via HTML injection in SiYuan desktop notification messages through version 3.6.4. The Electron-based desktop application mishandles notification rendering with unsafe settings (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), escalating XSS to full system compromise. Vendor-released patch available in version 3.6.5. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Command injection in Vim's tag file processing allows local attackers to execute arbitrary shell commands with user privileges when resolving tags containing backtick syntax. Versions prior to 9.2.0357 are affected. The vulnerability requires user interaction (opening a crafted tags file or navigating to a tag), but once triggered, grants full command execution capability in the context of the Vim process.

Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.

A critical Remote Code Execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. The issue has been fixed.

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Command injection in Paperclip @paperclipai/server (versions <2026.416.0) allows authenticated agents to execute arbitrary OS commands on the server host. Attackers with Agent API credentials can escalate from agent runtime to full server host control by injecting malicious shell commands through the adapterConfig.workspaceStrategy.provisionCommand field during workspace provisioning. CVSS 8.8 (high) with network-accessible attack vector and low complexity. Vendor patch available in version 2026.416.0. No public exploit or CISA KEV listing identified at time of analysis, but the vulnerability breaks critical trust boundaries in multi-agent AI orchestration systems.

Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-port parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-user parameter to /cgi-bin/cstecgi.cgi.

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.

Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Remote code execution via unauthenticated command injection in rclone's remote control API allows network attackers to execute arbitrary commands on the host system through a single HTTP request. The vulnerability affects rclone deployments with the RC API enabled (--rc or rclone rcd) that are network-accessible and lack global HTTP authentication. An attacker exploits the unprotected operations/fsinfo endpoint by crafting a WebDAV backend definition with a malicious bearer_token_command parameter, which executes during backend initialization. Confirmed exploitable on master branch (commit bf55d5e6) and release v1.73.4 with public proof-of-concept available. CVSS 9.2 reflects critical severity with network attack vector and no authentication required, though exploitation requires specific deployment configuration (AT:P). No CISA KEV listing or EPSS data available at time of analysis.

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and administrator privileges to the Management Console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.

Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. With CVSS 8.9 (AV:N/AC:L/PR:N/UI:N) and proof-of-concept exploitation confirmed (E:P), this represents a critical risk requiring immediate patching. Fix available in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.

Remote code execution in WWBN AVideo up to version 29.0 allows unauthenticated attackers to execute arbitrary system commands via unsanitized URL parameters in test.php. This vulnerability stems from an incomplete fix that sanitized wget calls but left file_get_contents and curl code paths exploitable through regex bypass (accepting strings like 'httpevil[.]com'). CVSS 9.3 with Critical scope change reflects the severity. Upstream fix available in commit 78bccae but no tagged release version confirmed at time of analysis. EPSS data not provided; no CISA KEV listing identified.

A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Command injection in Tenda W30E V2.0 firmware V16.01.0.21 allows remote unauthenticated attackers to execute arbitrary operating system commands as root through the formSetUSBPartitionUmount function by manipulating the usbPartitionName parameter. The vulnerability achieves maximum CVSS severity (9.8) due to network accessibility without authentication, though EPSS exploitation probability remains low (0.17%, 38th percentile), suggesting limited attacker interest at time of analysis. No active exploitation confirmed by CISA KEV, and public exploit code status is unverified from researcher disclosure.

Command injection in Tenda W30E router firmware V16.01.0.21 allows unauthenticated remote attackers to execute arbitrary system commands via the 'hostName' parameter in the diagnostic ping function. Attack requires only network access to the router's web interface with no authentication or user interaction. Proof-of-concept exploit code is publicly available (SSVC exploitation status: POC). EPSS data not available, but SSVC framework marks this as automatable with partial technical impact, making it suitable for mass scanning campaigns targeting exposed Tenda routers.

Remote code execution in Atlassian Bamboo Data Center versions 9.6.0 through 12.1.0 allows authenticated attackers to execute arbitrary OS commands via command injection vulnerability. The attack requires low-privilege authentication (PR:L) but no user interaction, enabling complete system compromise across confidentiality, integrity, and availability with cross-scope impact (SC:H/SI:H/SA:H indicating container escape or lateral movement potential). Atlassian has released patches for three major version branches (9.6.25, 10.2.18, 12.1.6). No active exploitation confirmed in CISA KEV at time of analysis, though the authenticated nature and critical CVSS 9.4 score warrant immediate patching for internet-exposed instances with broad user access.

Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.

Remote code execution in Quantum Networks router QN-I-470 allows authenticated attackers to execute arbitrary OS commands as root via command injection in the management CLI interface. The vulnerability stems from inadequate input sanitization, enabling low-privileged authenticated users to escalate privileges to root level. CVSS 8.7 (Critical) reflects network-accessible exploitation with low complexity, requiring only low-privilege authentication. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the authenticated nature and CLI access requirement limits exploitation to users with existing device credentials.

Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network attackers to execute arbitrary OS commands through the management CLI interface via command injection. The vulnerability requires no authentication (CVSS PR:N) and exploits inadequate input sanitization (CWE-78). Adjacent network access (AV:A) limits attack surface to local network segments. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though EPSS data unavailable to assess real-world exploitation probability.

OS command injection in NewSoft NewSoftOA allows remote unauthenticated attackers to execute arbitrary system commands on the server. CVSS 9.3 (Critical) with network attack vector and no authentication required. The description contains a contradiction - it states 'local attackers' while CVSS vector indicates AV:N (network-accessible). Based on CVSS vector, this is remotely exploitable without authentication. No CISA KEV listing or public exploit code identified at time of analysis, but network accessibility and lack of auth barriers make this a high-priority remediation target for organizations running NewSoftOA.

Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.

Remote code execution in Dolibarr ERP 22.0.4 and earlier allows authenticated users with PHP content editing permissions to execute arbitrary OS commands on the server. The vulnerability stems from a bypassable blacklist-based filter for dangerous PHP functions in the Website module. Attack complexity is low (CVSS AV:N/AC:L/PR:L), requiring only valid low-privilege credentials. Public proof-of-concept code exists on GitHub, though CISA has not confirmed active exploitation. EPSS data is unavailable, but SSVC assessment indicates total technical impact with no current exploitation evidence.

Remote code execution with container escape in Flowsint OSINT tool allows unauthenticated attackers to execute arbitrary OS commands as root on the host machine. The vulnerability exploits shell metacharacter injection in the 'org_to_asn' transformer when processing organization nodes in OSINT sketches. With CVSS 9.3 (CVSS 4.0), network attack vector, low complexity, and no authentication required, this represents critical risk to any internet-exposed Flowsint instance. Upstream fix committed (b52cbbb904c) removes vulnerable code, but no tagged release version confirmed yet. CVSS vector indicates proof-of-concept exploit exists (E:P).

Dell PowerProtect Data Domain versions 8.5 through 8.6 contain a local command injection vulnerability (CWE-78) allowing high-privileged remote attackers to execute arbitrary commands with root privileges. The attack requires local access and elevated privileges (CVSS PR:H) but results in complete system compromise through unauthenticated code execution. No public exploit code has been identified, and CVSS 6.7 reflects the significant privilege barrier despite high impact.

OS command injection in Dell PowerProtect Data Domain versions 8.5 through 8.6 allows high-privileged remote attackers to execute arbitrary commands with root privileges by exploiting improper neutralization of special elements in OS command processing. This vulnerability requires high privilege level access but, once exploited, grants full system compromise. No active exploitation or public exploit code has been identified at time of analysis, but vendor has released patches addressing the issue.

OS command injection in Dell PowerProtect Data Domain allows authenticated administrative users with network access to execute arbitrary commands with root privileges. Affects multiple release branches (7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, LTS2024 7.13.1.0-7.13.1.60). Dell released patches across all affected branches (8.6.1.10, 7.13.1.70, 8.3.1.30). EPSS data unavailable; no KEV listing or public exploit identified at time of analysis. While CVSS 7.2 reflects high impact, exploitation requires pre-existing high-privilege administrative credentials, significantly limiting real-world attack surface to insider threats or credential compromise scenarios.

OS command injection in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allows high-privileged remote attackers to execute arbitrary commands as root. Network-accessible exploitation requires existing administrative credentials but minimal attack complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor patch available per DSA-2026-060, addressing CWE-78 command injection weakness in multiple product streams including LTS releases.

OS command injection in Dell PowerProtect Data Domain allows remote high-privileged attackers to execute arbitrary commands on DD OS versions 7.7.1.0-8.5, LTS2025 8.3.1.0-8.3.1.10, and LTS2024 7.13.1.0-7.13.1.40. Dell published DSA-2026-060 addressing this CWE-78 flaw with CVSS 7.2 (high impact on confidentiality, integrity, availability). No public exploit identified at time of analysis. Post-authentication requirement (PR:H) reduces immediate risk for environments with strong privileged access controls, but network attack vector (AV:N) enables remote exploitation once administrative credentials are obtained.

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

OS command injection in TeamT5 ThreatSonar Anti-Ransomware ≤4.0.0 allows authenticated remote attackers with shell access to escalate privileges to root. Despite the high CVSS score (8.7), exploitation requires legitimate shell access and low-privilege authentication, limiting attack surface to environments where ransomware protection agents are accessible to compromised accounts. EPSS probability is low (0.12%, 32nd percentile), and no active exploitation or public POC has been identified. Taiwan CERT published advisories, suggesting regional deployment significance.

Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. Attack complexity is low (AC:L) with network attack vector (AV:N), and CVSS 9.4 reflects critical impact across confidentiality, integrity, and availability. No active exploitation or public POC confirmed at time of analysis, though EPSS probability data not available.

Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system commands by manipulating the Source argument in the CommandHandler function. Affected versions up to 2.1.0.0 are vulnerable. The exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure attempts. CVSS score of 6.3 reflects moderate severity with network-accessible attack vector requiring authentication.

Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.

Command injection in Dolibarr ERP/CRM versions before 23.0.0 allows authenticated administrators to execute arbitrary operating system commands during ODT-to-PDF template conversion. The vulnerability stems from unsanitized concatenation of the MAIN_ODT_AS_PDF configuration constant into shell commands in odf.php. Exploitation requires administrative privileges (PR:H) but can be executed remotely (AV:N) with low complexity (AC:L), resulting in full system compromise as the web server user. Fixed in version 23.0.0. EPSS data not available; no public exploit identified at time of analysis.