ReportizFlow
Filtered by vendor
Subscriptions
Total
2813 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11298 | 2025-10-05 | 6.3 Medium | ||
| A vulnerability was determined in Belkin F9K1015 1.00.10. Impacted is an unknown function of the file /goform/formSetWanStatic. Executing manipulation of the argument m_wan_ipaddr can lead to command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11292 | 2025-10-05 | 6.3 Medium | ||
| A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11285 | 2025-10-05 | 6.3 Medium | ||
| A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-55848 | 1 Dlink | 3 Dir-823, Dir-823x, Dir-823x Firmware | 2025-10-03 | 8.8 High |
| An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of reverse connection commands. | ||||
| CVE-2025-8937 | 1 Totolink | 2 N350r, N350r Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability has been found in TOTOLINK N350R 1.2.3-B20130826. This vulnerability affects unknown code of the file /boafrm/formSysCmd. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7932 | 1 Dlink | 2 Dir-817l, Dir-817l Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability classified as critical has been found in D-Link DIR‑817L up to 1.04B01. This affects the function lxmldbc_system of the file ssdpcgi. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7836 | 2 D-link, Dlink | 3 Dir-816l, Dir-816l, Dir-816l Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-56769 | 1 Hutool | 1 Hutool | 2025-10-03 | 6.5 Medium |
| An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. | ||||
| CVE-2025-29155 | 1 Smartbear | 1 Swagger Petstore | 2025-10-03 | 6.5 Medium |
| An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via the DELETE endpoint | ||||
| CVE-2025-10689 | 2 D-link, Dlink | 3 Dir-645, Dir-645, Dir-645 Firmware | 2025-10-03 | 6.3 Medium |
| A vulnerability was identified in D-Link DIR-645 105B01. This issue affects the function soapcgi_main of the file /soap.cgi. Such manipulation of the argument service leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-57293 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2025-10-03 | 8.8 High |
| A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET§ion=multi_pppoe. When the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise. | ||||
| CVE-2025-4008 | 1 Smartbedded | 2 Meteobridge Firmware, Meteobridge Vm | 2025-10-03 | 8.8 High |
| The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. | ||||
| CVE-2025-11121 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2025-10-03 | 6.3 Medium |
| A security vulnerability has been detected in Tenda AC18 15.03.05.19. The impacted element is an unknown function of the file /goform/AdvSetLanip. The manipulation of the argument lanIp leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-1497 | 1 Mljar | 1 Plotai | 2025-10-03 | 9.8 Critical |
| A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability. | ||||
| CVE-2024-3659 | 2 Kaongroup, Kaonmedia | 3 Ar2140, Ar2140 Firmware, Ar2140 Firmware | 2025-10-03 | 7.2 High |
| Firmware in KAON AR2140 routers prior to version 4.2.16 is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router. | ||||
| CVE-2025-50756 | 1 Wavlink | 2 Wn535k3, Wn535k3 Firmware | 2025-10-03 | 9.8 Critical |
| Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2025-59741 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/CLT/LOGINERRORFRM.ASP'. | ||||
| CVE-2025-59740 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_CAT.ASP'. | ||||
| CVE-2025-59739 | 1 Andsoft | 1 E-tms | 2025-10-02 | 9.8 Critical |
| Operating system command injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability allows an attacker to execute operating system commands on the server by sending a POST request. The relationship between parameter and assigned identifier is a 'm' parameter in '/clt/LOGINFRM_original.ASP'. | ||||
| CVE-2025-10325 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 6.3 Medium |
| A vulnerability was identified in Wavlink WL-WN578W2 221110. This impacts the function sub_401340/sub_401BA4 of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||