Total
4887 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-18368 | 2 Billion, Zyxel | 6 5200w-t, 5200w-t Firmware, P660hn-t1a V1 and 3 more | 2025-10-22 | 9.8 Critical |
| The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter. | ||||
| CVE-2016-11021 | 1 Dlink | 2 Dcs-930l, Dcs-930l Firmware | 2025-10-22 | 7.2 High |
| setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter. | ||||
| CVE-2025-9377 | 1 Tp-link | 6 Archer C7, Archer C7 Firmware, Tl-wr841n and 3 more | 2025-10-21 | 7.2 High |
| The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es). | ||||
| CVE-2025-8876 | 1 N-able | 1 N-central | 2025-10-21 | 8.8 High |
| Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1. | ||||
| CVE-2025-54948 | 1 Trendmicro | 2 Apex One, Apexone Server | 2025-10-21 | 9.4 Critical |
| A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. | ||||
| CVE-2025-1316 | 1 Edimax | 2 Ic-7100, Ic-7100 Firmware | 2025-10-21 | 9.8 Critical |
| Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device | ||||
| CVE-2024-9474 | 1 Paloaltonetworks | 1 Pan-os | 2025-10-21 | 7.2 High |
| A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability. | ||||
| CVE-2024-9463 | 1 Paloaltonetworks | 1 Expedition | 2025-10-21 | 7.5 High |
| An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. | ||||
| CVE-2024-8957 | 1 Ptzoptics | 5 Pt30x-ndi-xx-g2, Pt30x-ndi-xx-g2 Firmware, Pt30x-ndi Firmware and 2 more | 2025-10-21 | 7.2 High |
| PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices. | ||||
| CVE-2024-6047 | 1 Geovision | 55 Gv-bx1500, Gv-cb220, Gv-dsp Lpr and 52 more | 2025-10-21 | 9.8 Critical |
| Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | ||||
| CVE-2024-51378 | 1 Cyberpanel | 1 Cyberpanel | 2025-10-21 | 10 Critical |
| getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | ||||
| CVE-2024-50603 | 1 Aviatrix | 1 Controller | 2025-10-21 | 10 Critical |
| An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test. | ||||
| CVE-2024-4577 | 4 Fedoraproject, Microsoft, Php and 1 more | 4 Fedora, Windows, Php and 1 more | 2025-10-21 | 9.8 Critical |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | ||||
| CVE-2024-45519 | 1 Zimbra | 2 Collaboration, Zimbra Collaboration Suite | 2025-10-21 | 10 Critical |
| The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. | ||||
| CVE-2024-40891 | 1 Zyxel | 27 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 24 more | 2025-10-21 | 8.8 High |
| **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet. | ||||
| CVE-2024-40890 | 1 Zyxel | 27 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 24 more | 2025-10-21 | 8.8 High |
| **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. | ||||
| CVE-2024-1212 | 2 Kemptechnologies, Progress | 2 Loadmaster, Loadmaster | 2025-10-21 | 10 Critical |
| Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. | ||||
| CVE-2024-12987 | 1 Draytek | 4 Vigor2960, Vigor2960 Firmware, Vigor300b and 1 more | 2025-10-21 | 7.3 High |
| A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2024-11120 | 1 Geovision | 11 Gv-dsp Lpr, Gv-dsp Lpr Firmware, Gv-dsp Lpr V3 Firmware and 8 more | 2025-10-21 | 9.8 Critical |
| Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. | ||||
| CVE-2023-47565 | 1 Qnap | 1 Qvr Firmware | 2025-10-21 | 8 High |
| An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later | ||||