Total
5149 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-25255 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
| VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access. | |||||
| CVE-2025-43876 | 2025-12-29 | N/A | N/A | ||
| Under certain circumstances a successful exploitation could result in access to the device. | |||||
| CVE-2025-68922 | 2025-12-29 | N/A | 7.4 HIGH | ||
| OpenOps before 0.6.11 allows remote code execution in the Terraform block. | |||||
| CVE-2025-66203 | 2025-12-29 | N/A | 9.9 CRITICAL | ||
| StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | |||||
| CVE-2025-30004 | 1 Xorcom | 1 Completepbx | 2025-12-27 | N/A | 8.8 HIGH |
| Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | |||||
| CVE-2023-53981 | 1 Thibaud-rohmer | 1 Photoshow | 2025-12-27 | N/A | 7.2 HIGH |
| PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | |||||
| CVE-2023-53941 | 1 Easyphp | 1 Webserver | 2025-12-26 | N/A | 9.8 CRITICAL |
| EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges. | |||||
| CVE-2005-10004 | 1 Cacti | 1 Cacti | 2025-12-26 | N/A | 8.8 HIGH |
| Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity. | |||||
| CVE-2025-56086 | 1 Ruijie | 4 Rg-ew1200, Rg-ew1200 Firmware, Rg-x60 and 1 more | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | |||||
| CVE-2025-56085 | 1 Ruijie | 4 Rg-ew1200, Rg-ew1200 Firmware, Rg-ew300 Pro and 1 more | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | |||||
| CVE-2025-56087 | 1 Ruijie | 2 Rg-bcr600w, Rg-bcr600w Firmware | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. | |||||
| CVE-2025-56107 | 1 Ruijie | 2 Rg-bcr600w, Rg-bcr600w Firmware | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua. | |||||
| CVE-2025-56096 | 1 Ruijie | 2 Rg-bcr600w, Rg-bcr600w Firmware | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua. | |||||
| CVE-2025-56082 | 1 Ruijie | 2 Rg-bcr600w, Rg-bcr600w Firmware | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua. | |||||
| CVE-2025-56077 | 2 Ruijie, Ruijienetworks | 5 Rg-eap162\(g\), Rg-rap1260, Rg-rap2200\(e\) and 2 more | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | |||||
| CVE-2025-56079 | 1 Ruijie | 4 Be50, Be50 Firmware, Rg-ew1300g and 1 more | 2025-12-26 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | |||||
| CVE-2024-23789 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2025-12-23 | N/A | 8.8 HIGH |
| Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command on the affected product. | |||||
| CVE-2025-34043 | 2025-12-23 | N/A | N/A | ||
| A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC. | |||||
| CVE-2025-57516 | 1 Publiccms | 1 Publiccms | 2025-12-23 | N/A | 8.2 HIGH |
| OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file. | |||||
| CVE-2025-56120 | 1 Ruijie | 4 Rg-ew1200, Rg-ew1200 Firmware, Rg-x60 Pro and 1 more | 2025-12-23 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | |||||