Total
4933 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41674 | 1 Mbconnectline | 2 Mbnet.mini, Mbnet.mini Firmware | 2025-11-06 | 7.2 High |
| A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic action due to improper neutralization of special elements used in an OS command. | ||||
| CVE-2025-41675 | 3 Helmholz, Mb Connect Line, Mbconnectline | 4 Rex 100, Mbnet.mini, Mbnet.mini and 1 more | 2025-11-06 | 7.2 High |
| A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command. | ||||
| CVE-2024-14005 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user. | ||||
| CVE-2013-10073 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 8.8 High |
| Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute arbitrary commands with the privileges of the application service. | ||||
| CVE-2024-14003 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-06 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service. | ||||
| CVE-2019-10149 | 3 Canonical, Debian, Exim | 3 Ubuntu Linux, Debian Linux, Exim | 2025-11-06 | 9.8 Critical |
| A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. | ||||
| CVE-2018-25122 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 8.8 High |
| Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the privileges of the application service. | ||||
| CVE-2020-36856 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 8.8 High |
| Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and may be leveraged to execute commands on the underlying XI host, modify system configuration, or fully compromise the host. | ||||
| CVE-2020-36867 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-05 | 8.8 High |
| Nagios XI versions prior to 5.7.3 contain a command injection vulnerability in the report PDF download/export functionality. User-supplied values used in the PDF generation pipeline or the wrapper that invokes offline/pdf helper utilities were insufficiently validated or improperly escaped, allowing an authenticated attacker who can trigger PDF exports to inject shell metacharacters or arguments. | ||||
| CVE-2025-48703 | 2 Centos-webpanel, Control-webpanel | 2 Centos Web Panel, Webpanel | 2025-11-05 | 9 Critical |
| CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | ||||
| CVE-2025-8748 | 1 Mobile-industrial-robots | 5 Mir100, Mir1000, Mir200 and 2 more | 2025-11-05 | 8.8 High |
| MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the underlying operating system. | ||||
| CVE-2025-34152 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes. | ||||
| CVE-2025-34151 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution. | ||||
| CVE-2025-34150 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges. | ||||
| CVE-2025-34149 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup. | ||||
| CVE-2025-34148 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise. | ||||
| CVE-2025-34147 | 1 Shenzhen Aitemi | 1 M300 Wifi Repeater | 2025-11-04 | N/A |
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise. | ||||
| CVE-2025-34143 | 2025-11-04 | N/A | ||
| An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583. | ||||
| CVE-2025-2611 | 1 Ict Innovations | 1 Ictbroadcast | 2025-11-04 | N/A |
| The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable. | ||||
| CVE-2025-64140 | 1 Jenkins | 2 Azure Cli, Jenkins | 2025-11-04 | 8.8 High |
| Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands. | ||||