Total
3139 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14276 | 2026-02-24 | 5.1 MEDIUM | 5.6 MEDIUM | ||
| A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: "We already know that issue and on most devices are already solved, also it’s not needed to open the port to outside world so we advised our customer to close it". | |||||
| CVE-2026-21518 | 1 Microsoft | 1 Visual Studio Code | 2026-02-23 | N/A | 8.8 HIGH |
| Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network. | |||||
| CVE-2025-70296 | 1 Mealie | 1 Mealie | 2026-02-23 | N/A | 5.4 MEDIUM |
| A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view. | |||||
| CVE-2026-2227 | 1 Dlink | 2 Dcs-931l, Dcs-931l Firmware | 2026-02-23 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in D-Link DCS-931L up to 1.13.0. Impacted is the function doSystem of the file /setSystemAdmin. Performing a manipulation of the argument AdminID results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-1125 | 1 Dlink | 2 Dir-823x, Dir-823x Firmware | 2026-02-23 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2025-33246 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure. | |||||
| CVE-2025-33249 | 1 Nvidia | 1 Nemo | 2026-02-20 | N/A | 7.8 HIGH |
| NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2026-2823 | 1 Comfast | 2 Cf-e7, Cf-e7 Firmware | 2026-02-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2824 | 1 Comfast | 2 Cf-e7, Cf-e7 Firmware | 2026-02-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component webmggnt. Executing a manipulation of the argument destination can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-27001 | 1 Openclaw | 1 Openclaw | 2026-02-20 | N/A | 7.8 HIGH |
| OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth. | |||||
| CVE-2025-55319 | 1 Microsoft | 1 Visual Studio Code | 2026-02-20 | N/A | 8.8 HIGH |
| Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-69201 | 1 Quenary | 1 Tugtainer | 2026-02-20 | N/A | 9.8 CRITICAL |
| Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue. | |||||
| CVE-2026-20761 | 2026-02-20 | N/A | 8.1 HIGH | ||
| A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device. | |||||
| CVE-2026-1624 | 1 Dlink | 2 Dwr-m961, Dwr-m961 Firmware | 2026-02-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-1625 | 1 Dlink | 2 Dwr-m961, Dwr-m961 Firmware | 2026-02-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2026-2629 | 2026-02-20 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in jishi node-sonos-http-api up to 3776f0ee2261c924c7b7204de121a38100a08ca7. Affected is the function Promise of the file lib/tts-providers/mac-os.js of the component TTS Provider. This manipulation of the argument phrase causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2534 | 1 Comfast | 2 Cf-n1, Cf-n1 Firmware | 2026-02-19 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_bandwidth. The manipulation of the argument bandwidth leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2535 | 1 Comfast | 2 Cf-n1, Cf-n1 Firmware | 2026-02-19 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2670 | 2026-02-19 | 8.3 HIGH | 7.2 HIGH | ||
| A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2686 | 2026-02-19 | 10.0 HIGH | 9.8 CRITICAL | ||
| A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | |||||