ReportizFlow
Filtered by vendor
Subscriptions
Total
5402 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59831 | 1 Riceball | 1 Git-commiters | 2025-10-16 | 8.8 High |
| git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library's primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2. | ||||
| CVE-2025-11005 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-10-16 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708. | ||||
| CVE-2025-47856 | 1 Fortinet | 1 Fortivoice | 2025-10-16 | 7.2 High |
| Two improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiVoice version 7.2.0, 7.0.0 through 7.0.6 and before 6.4.10 allows a privileged attacker to execute arbitrary code or commands via crafted HTTP/HTTPS or CLI requests. | ||||
| CVE-2024-1297 | 1 Loomio | 1 Loomio | 2025-10-15 | 7.2 High |
| Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. | ||||
| CVE-2016-15047 | 1 Avtech | 3 Dvr Devices, Ip Camera, Nvr Devices | 2025-10-15 | N/A |
| AVTECH devices that include the CloudSetup.cgi management endpoint are vulnerable to authenticated OS command injection. The `exefile` parameter in CloudSetup.cgi is passed to the underlying system command execution without proper validation or whitelisting. An authenticated attacker who can invoke this endpoint can supply crafted input to execute arbitrary system commands as root. Successful exploitation grants full control of the device, and - depending on deployment and whether the device stores credentials or has network reachability to internal systems - may enable credential theft, lateral movement, or data exfiltration. The archived SEARCH-LAB disclosure implies that this vulnerability was remediated in early 2017, but AVTECH has not defined an affected version range. | ||||
| CVE-2022-4364 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-10-15 | 7.3 High |
| A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. Affected by this issue is some unknown functionality of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.49.16 can resolve this issue. Upgrading the affected component is advised. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | ||||
| CVE-2024-9053 | 1 Vllm-project | 1 Vllm | 2025-10-15 | 9.8 Critical |
| vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data. | ||||
| CVE-2024-4253 | 1 Gradio Project | 1 Gradio | 2025-10-15 | 9.1 Critical |
| A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/[email protected]'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'. | ||||
| CVE-2024-10019 | 1 Lollms | 1 Lollms Web Ui | 2025-10-15 | 6.7 Medium |
| A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability. | ||||
| CVE-2025-59834 | 3 Adb Mcp Project, Google, Srmorete | 3 Adb Mcp, Android, Adb Mcp Server | 2025-10-14 | 9.8 Critical |
| ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c. | ||||
| CVE-2025-52906 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-10-14 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207. | ||||
| CVE-2025-5459 | 1 Puppet | 1 Puppet Enterprise | 2025-10-14 | 8.8 High |
| A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0. | ||||
| CVE-2025-59361 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2025-59360 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2025-59359 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2024-10035 | 1 Bg-tek | 2 Coslat, Coslatv3 Firmware | 2025-10-14 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection, Privilege Escalation.This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported. | ||||
| CVE-2025-56819 | 2 Datart, Running-elephant | 2 Datart, Datart | 2025-10-11 | 9.8 Critical |
| An issue in Datart v.1.0.0-rc.3 allows a remote attacker to execute arbitrary code via the INIT connection parameter. | ||||
| CVE-2025-11138 | 2 Wenkucms, Wenkucms Project | 2 Wenkucms, Wenkucms | 2025-10-10 | 6.3 Medium |
| A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-60959 | 2 Endrun, Endruntechnologies | 3 Sonoma D12 Network Time Server, Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | 8.2 High |
| OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information. | ||||
| CVE-2025-60957 | 2 Endrun, Endruntechnologies | 3 Sonoma D12 Network Time Server, Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | 9.9 Critical |
| OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information. | ||||