Total
5427 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24663 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 9.0 CRITICAL |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body. | |||||
| CVE-2026-24689 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action. | |||||
| CVE-2026-24695 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route, leading to remote code execution. | |||||
| CVE-2026-25109 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution. | |||||
| CVE-2026-25111 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the restore route. | |||||
| CVE-2026-25195 | 1 Copeland | 6 Xweb 300d Pro, Xweb 300d Pro Firmware, Xweb 500b Pro and 3 more | 2026-03-09 | N/A | 8.0 HIGH |
| An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route. | |||||
| CVE-2026-28774 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 8.8 HIGH |
| An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges. | |||||
| CVE-2026-28773 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 8.8 HIGH |
| The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges. | |||||
| CVE-2024-55021 | 1 Weintek | 3 Cmt-3072xh2, Cmt-3072xh2 Firmware, Easyweb | 2026-03-09 | N/A | 7.5 HIGH |
| Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded password in the FTP protocol. | |||||
| CVE-2026-30861 | 1 Tencent | 1 Weknora | 2026-03-09 | N/A | 9.9 CRITICAL |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. From version 0.2.5 to before version 0.2.10, an unauthenticated remote code execution (RCE) vulnerability exists in the MCP stdio configuration validation. The application allows unrestricted user registration, meaning any attacker can create an account and exploit the command injection flaw. Despite implementing a whitelist for allowed commands (npx, uvx) and blacklists for dangerous arguments and environment variables, the validation can be bypassed using the -p flag with npx node. This allows any attacker to execute arbitrary commands with the application's privileges, leading to complete system compromise. This issue has been patched in version 0.2.10. | |||||
| CVE-2026-28463 | 1 Openclaw | 1 Openclaw | 2026-03-09 | N/A | 8.4 HIGH |
| OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized callers or prompt-injection attacks can exploit this to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode. | |||||
| CVE-2025-66203 | 1 Lemon8866 | 1 Streamvault | 2026-03-09 | N/A | 9.9 CRITICAL |
| StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | |||||
| CVE-2026-29783 | 2026-03-09 | N/A | N/A | ||
| The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423. The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (requires user approval). However, several bash parameter expansion features can embed executable code within arguments to otherwise read-only commands, causing them to appear safe while actually performing arbitrary operations. The specific dangerous patterns are ${var@P}, ${var=value} / ${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text sent to the shell tool - for example, through prompt injection via malicious repository content (README files, code comments, issue bodies), compromised or malicious MCP server responses, or crafted user instructions containing obfuscated commands - could achieve arbitrary code execution on the user's workstation. This is possible even in permission modes that require user approval for write operations, since the commands can appear to use only read-only utilities to ultimately trigger write operations. Successful exploitation could lead to data exfiltration, file modification, or further system compromise. | |||||
| CVE-2026-0654 | 1 Tp-link | 2 Deco Be25, Deco Be25 Firmware | 2026-03-06 | N/A | 8.0 HIGH |
| Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822. | |||||
| CVE-2026-28209 | 1 Sangoma | 1 Freepbx | 2026-03-06 | N/A | 7.2 HIGH |
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | |||||
| CVE-2026-28287 | 1 Sangoma | 1 Freepbx | 2026-03-06 | N/A | 8.8 HIGH |
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | |||||
| CVE-2026-26279 | 1 Froxlor | 1 Froxlor | 2026-03-05 | N/A | 9.1 CRITICAL |
| Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4. | |||||
| CVE-2026-25857 | 1 Tenda | 2 G300-f, G300-f Firmware | 2026-03-05 | N/A | 8.8 HIGH |
| Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. | |||||
| CVE-2026-2131 | 1 Xixianliang | 1 Harmonyos Mcp Server | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | |||||
| CVE-2026-20008 | 2026-03-05 | N/A | 6.0 MEDIUM | ||
| A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials. | |||||