The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-35576 | A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different vulnerability than CVE-2018-12577. | HIGH | Jan 26, 2021 |
| CVE-2020-29664 | A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. | HIGH | Feb 18, 2021 |
| CVE-2020-9862 | A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Copying a URL from Web Inspector may lead to command injection. | MEDIUM | Oct 16, 2020 |
| CVE-2023-45208 | A command injection in the parsing_xml_stasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers (within range of the repeater) to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names containing single quotes (in the range of the repeater) can result in a denial of service. | -- | Oct 10, 2023 |
| CVE-2022-29013 | A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request. | HIGH | Jun 9, 2022 |
| CVE-2018-16460 | A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID. | HIGH | Sep 7, 2018 |
| CVE-2018-3785 | A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter. | HIGH | Aug 17, 2018 |
| CVE-2019-5129 | A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack. | HIGH | Oct 30, 2019 |
| CVE-2019-5128 | A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack. | HIGH | Oct 30, 2019 |
| CVE-2019-5127 | A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack. | HIGH | Oct 30, 2019 |
| CVE-2022-3874 | A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system. | -- | Sep 26, 2023 |
| CVE-2020-12148 | A command injection flaw identified in the nslookup API in Silver Peak Unity ECOSTM (ECOS) appliance software could allow an attacker to execute arbitrary commands with the privileges of the web server running on the EdgeConnect appliance. An attacker could exploit this vulnerability to establish an interactive channel, effectively taking control of the target system. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to : 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0. | HIGH | Dec 11, 2020 |
| CVE-2019-15575 | A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope. | MEDIUM | Dec 27, 2019 |
| CVE-2023-6019 | A command injection existed in Ray\'s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers\' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 | -- | Nov 16, 2023 |
| CVE-2018-19451 | A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when using the Open File action on a Field. An attacker can leverage this to gain remote code execution. | -- | Jun 10, 2019 |
| CVE-2018-19445 | A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when the JavaScript API app.launchURL is used. An attacker can leverage this to gain remote code execution. | MEDIUM | Jun 18, 2019 |
| CVE-2018-19450 | A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) 5.4.0.1031 when parsing a launch action. An attacker can leverage this to gain remote code execution. | MEDIUM | Jun 18, 2019 |
| CVE-2024-3400 | A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | -- | Apr 16, 2024 |
| CVE-2018-16216 | A command injection (missing input validation, escaping) in the monitoring or memory status web interface in AudioCodes 405HD (firmware 2.2.12) VoIP phone allows an authenticated remote attacker in the same network as the device to trigger OS commands (like starting telnetd or opening a reverse shell) via a POST request to the web server. In combination with another attack (unauthenticated password change), the attacker can circumvent the authentication requirement. | HIGH | Apr 29, 2019 |
| CVE-2018-19977 | A command injection (missing input validation, escaping) in the ftp upgrade configuration interface on the Auerswald COMfort 1200 IP phone 3.4.4.1-10589 allows an authenticated remote attacker (simple user) -- in the same network as the device -- to trigger OS commands (like starting telnetd or opening a reverse shell) via a POST request to the web server. | HIGH | May 30, 2019 |
| CVE-2019-12328 | A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | HIGH | Jul 29, 2019 |
| CVE-2019-12324 | A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | HIGH | Aug 5, 2019 |
| CVE-2024-3566 | A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | -- | Apr 10, 2024 |
| CVE-2021-20020 | A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root. | HIGH | Apr 12, 2021 |
| CVE-2021-21954 | A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to arbitrary command execution. | HIGH | Dec 9, 2021 |
| CVE-2023-32632 | A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability. | -- | Oct 12, 2023 |
| CVE-2022-36429 | A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability. | -- | Mar 24, 2023 |
| CVE-2023-49133 | A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP225(V3) 5.1.0 Build 20220926 of the AC1350 Wireless MU-MIMO Gigabit Access Point. | -- | Apr 9, 2024 |
| CVE-2023-49134 | A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP115(V4) 5.0.4 Build 20220216 of the N300 Wireless Gigabit Access Point. | -- | Apr 9, 2024 |
| CVE-2022-38452 | A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability. | -- | Mar 24, 2023 |
| CVE-2023-43482 | A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | -- | Feb 6, 2024 |
| CVE-2021-21809 | A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities. | HIGH | Jun 23, 2021 |
| CVE-2022-25995 | A command execution vulnerability exists in the console inhand functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability. | HIGH | May 12, 2022 |
| CVE-2022-32585 | A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability. | HIGH | Jun 30, 2022 |
| CVE-2022-37337 | A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | -- | Mar 24, 2023 |
| CVE-2014-5086 | A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5086 pertains to instances of fwrite in Sphider Pro and Sphider Plus only, but don’t exist in Sphider. | HIGH | Feb 13, 2020 |
| CVE-2014-5084 | A Command Execution vulnerability exists in Sphider Pro 3.2 due to insufficient sanitization of fwrite, which could let a remote malicious user execute arbitrary code. CVE-2014-5084 pertains to instances of fwrite in Sphider Pro only, but do not exist in either Sphider or Sphider Plus. | MEDIUM | Feb 14, 2020 |
| CVE-2014-5085 | A Command Execution vulnerability exists in Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5085 pertains to instances of fwrite in Sphider Plus, but do not exist in either Sphider or Sphider Pro. | MEDIUM | Feb 14, 2020 |
| CVE-2014-5083 | A Command Execution vulnerability exists in Sphider before 1.3.6 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5083 pertains to instances of fwrite in Sphider. | MEDIUM | Feb 14, 2020 |
| CVE-2021-42242 | A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor. | HIGH | May 5, 2022 |
| CVE-2018-1000189 | A command execution vulnerability exists in Jenkins Absint Astree Plugin 1.0.5 and older in AstreeBuilder.java that allows attackers with Overall/Read access to execute a command on the Jenkins master. | MEDIUM | Jun 5, 2018 |
| CVE-2013-0517 | A Command Execution Vulnerability exists in IBM Sterling External Authentication Server 2.2.0, 2.3.01, 2.4.0, and 2.4.1 via an unspecified OS command, which could let a local malicious user execute arbitrary code. | HIGH | Feb 13, 2020 |
| CVE-2020-1930 | A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. | HIGH | Feb 2, 2020 |
| CVE-2020-1931 | A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. | HIGH | Feb 2, 2020 |
| CVE-2016-7547 | A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface. | HIGH | Apr 17, 2017 |
| CVE-2017-7844 | A combination of an external SVG image referenced on a page and the coloring of anchor links stored within this image can be used to determine which pages a user has in their history. This can allow a malicious website to query user history. Note: This issue only affects Firefox 57. Earlier releases are not affected. This vulnerability affects Firefox < 57.0.1. | MEDIUM | Jun 12, 2018 |
| CVE-2021-41028 | A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in FortiClientWindows, FortiClientLinux and FortiClientMac 7.0.1 and below, 6.4.6 and below may allow an unauthenticated and network adjacent attacker to perform a man-in-the-middle attack between the EMS and the FCT via the telemetry protocol. | MEDIUM | Dec 16, 2021 |
| CVE-2021-39937 | A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances | MEDIUM | Dec 15, 2021 |
| CVE-2016-6593 | A code-execution vulnerability exists during startup in jhi.dll and otpiha.dll in Symantec VIP Access Desktop before 2.2.2, which could let local malicious users execute arbitrary code. | MEDIUM | Jan 17, 2020 |
| CVE-2023-22381 | A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program. | -- | Mar 3, 2023 |
