Total
5368 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37027 | 1 Midgetspy | 1 Sickbeard | 2026-02-04 | 9.8 Critical |
| Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. | ||||
| CVE-2025-9974 | 1 Nokia | 1 Nokia Ont | 2026-02-04 | 8 High |
| The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device. | ||||
| CVE-2026-22550 | 1 Elecom | 2 Wrc-x1500gs-b, Wrc-x1500gsa-b | 2026-02-04 | N/A |
| OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. | ||||
| CVE-2024-45519 | 1 Synacor | 1 Zimbra Collaboration Suite | 2026-02-03 | 10 Critical |
| The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands. | ||||
| CVE-2026-22708 | 2 Anysphere, Cursor | 2 Cursor, Cursor | 2026-02-03 | 9.8 Critical |
| Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. | ||||
| CVE-2026-24788 | 1 Raspap | 1 Raspap-webgui | 2026-02-03 | N/A |
| RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. | ||||
| CVE-2024-25579 | 1 Elecom | 10 Wmc-x1800gst-b Firmware, Wrc-1167gs2-b Firmware, Wrc-1167gs2h-b Firmware and 7 more | 2026-02-03 | 6.8 Medium |
| OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B". | ||||
| CVE-2021-47748 | 1 Hasura | 1 Graphql Engine | 2026-02-02 | 9.8 Critical |
| Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality. | ||||
| CVE-2021-47851 | 1 Yodinfo | 1 Mini Mouse | 2026-02-02 | 9.8 Critical |
| Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. | ||||
| CVE-2024-2421 | 1 Honeywell | 1 Lenels2 Netbox | 2026-02-02 | 9.8 Critical |
| LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions. | ||||
| CVE-2024-50388 | 1 Qnap | 2 Hbs 3, Hybrid Backup Sync | 2026-01-30 | 9.8 Critical |
| An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later | ||||
| CVE-2020-37012 | 1 Ammarfaizi2 | 1 Tea Latex | 2026-01-30 | 9.8 Critical |
| Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action. | ||||
| CVE-2025-33234 | 1 Nvidia | 1 Runx | 2026-01-29 | 7.8 High |
| NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-56092 | 1 Ruijie | 5 Rg-ew300t, Rg-ew300t Firmware, X30-pro and 2 more | 2026-01-29 | 8.8 High |
| OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | ||||
| CVE-2025-1676 | 1 Hzmanyun | 1 Education And Training System | 2026-01-29 | 6.3 Medium |
| A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8890 | 1 Sdmc | 1 Ne6037 | 2026-01-28 | N/A |
| Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports. | ||||
| CVE-2026-1428 | 1 Wellchoose | 1 Single Sign On Portal System | 2026-01-27 | 8.8 High |
| Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | ||||
| CVE-2026-1427 | 1 Wellchoose | 1 Single Sign-on Portal System | 2026-01-27 | 8.8 High |
| Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | ||||
| CVE-2025-56101 | 1 Ruijie | 5 M18-ew, M18-ew Firmware, M18 Ew and 2 more | 2026-01-27 | 8.8 High |
| OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | ||||
| CVE-2025-56089 | 1 Ruijie | 5 M18-ew, M18-ew Firmware, M18 Ew and 2 more | 2026-01-27 | 8.8 High |
| OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | ||||