ReportizFlow
Filtered by vendor
Subscriptions
Total
5757 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27613 | 2 Maximmasiutin, Ritlabs | 2 Tinyweb, Tinyweb | 2026-04-17 | 9.8 Critical |
| TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`). | ||||
| CVE-2026-27635 | 2 Manyfold, Manyfold3d | 2 Manyfold, Manyfold | 2026-04-17 | 7.5 High |
| Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue. | ||||
| CVE-2026-27938 | 2 Wordpress, Wpgraphql | 2 Wordpress, Wpgraphql | 2026-04-17 | 7.7 High |
| WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability. | ||||
| CVE-2026-28279 | 1 Jmpsec | 1 Osctrl | 2026-04-17 | 7.4 High |
| osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands. | ||||
| CVE-2026-20742 | 1 Copeland | 9 Copeland Xweb 300d Pro, Copeland Xweb 500b Pro, Copeland Xweb 500d Pro and 6 more | 2026-04-17 | 8 High |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route. | ||||
| CVE-2026-24452 | 1 Copeland | 9 Copeland Xweb 300d Pro, Copeland Xweb 500b Pro, Copeland Xweb 500d Pro and 6 more | 2026-04-17 | 8 High |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route. | ||||
| CVE-2026-23702 | 1 Copeland | 9 Copeland Xweb 300d Pro, Copeland Xweb 500b Pro, Copeland Xweb 500d Pro and 6 more | 2026-04-17 | 8 High |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route. | ||||
| CVE-2026-3037 | 1 Copeland | 9 Copeland Xweb 300d Pro, Copeland Xweb 500b Pro, Copeland Xweb 500d Pro and 6 more | 2026-04-17 | 8 High |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution. | ||||
| CVE-2026-3301 | 1 Totolink | 2 N300rh, N300rh Firmware | 2026-04-17 | 9.8 Critical |
| A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument webWlanIdx results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-28417 | 1 Vim | 1 Vim | 2026-04-17 | 4.4 Medium |
| Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue. | ||||
| CVE-2026-26279 | 1 Froxlor | 1 Froxlor | 2026-04-17 | 9.1 Critical |
| Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4. | ||||
| CVE-2026-26478 | 1 Mobvoi | 3 Tichome Mini, Tichome Mini Firmware, Tichome Mini Smart Speaker | 2026-04-17 | 9.8 Critical |
| A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account. | ||||
| CVE-2026-28774 | 2 Datacast, International Datacasting Corporation (idc) | 3 Sfx2100, Sfx2100 Firmware, Sfx Series Superflex Satellitereceiver Web Management Interface | 2026-04-17 | 8.8 High |
| An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges. | ||||
| CVE-2026-27441 | 1 Seppmail | 2 Seppmail, Seppmail Secure Email Gateway | 2026-04-17 | 9.8 Critical |
| SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution. | ||||
| CVE-2026-28287 | 2 Freepbx, Sangoma | 2 Security-reporting, Freepbx | 2026-04-17 | 8.8 High |
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | ||||
| CVE-2026-25070 | 2 Anhui Seeker Electronic Technology Co., Ltd., Seekswan | 3 Xikestor Sks8310-8x, Zikestor Sks8310-8x, Zikestor Sks8310-8x Firmware | 2026-04-17 | 9.8 Critical |
| XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch. | ||||
| CVE-2026-34940 | 2 Kubeai, Kubeai-project | 2 Kubeai, Kubeai | 2026-04-17 | 8.7 High |
| KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2. | ||||
| CVE-2026-40088 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-16 | 9.7 Critical |
| PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121. | ||||
| CVE-2026-20008 | 1 Cisco | 3 Adaptive Security Appliance Software, Firepower Threat Defense Software, Secure Firewall Threat Defense | 2026-04-16 | 6 Medium |
| A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials. | ||||
| CVE-2026-35585 | 1 Filebrowser | 1 Filebrowser | 2026-04-16 | 7.2 High |
| File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. | ||||