Command Injection — 272 CVEs (Page 2/3)

2025-07-22

High

CVE-2025-7723

A command injection vulnerability exists that can be exploited after authentication in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518;…

CVSS: 8.5 CWE: CWE-78

High

CVE-2025-53472

WRC-BE36QS-B and WRC-W701-B contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in WebGUI. If exploited, an arbitrary OS command may be…

CVSS: 7.2 CWE: CWE-78

Medium

CVE-2025-7952

A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. This vulnerability affects the function ckeckKeepAlive of the file wireless.so of the component MQTT Packet Handler. The m…

CVSS: 6.3 CWE: CWE-74

2025-07-21

High

CVE-2025-53832

Lara Translate MCP Server is a Model Context Protocol (MCP) Server for Lara Translate API. Versions 0.0.11 and below contain a command injection vulnerability which exists in the @translated/lara-mcp…

CVSS: 7.5 CWE: CWE-77

Critical

CVE-2025-36846

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. T…

CVSS: 9.8 CWE: CWE-78

Medium

CVE-2025-7932

A vulnerability classified as critical has been found in D-Link DIR‑817L up to 1.04B01. This affects the function lxmldbc_system of the file ssdpcgi. The manipulation leads to command injection. It i…

CVSS: 6.3 CWE: CWE-74

High

CVE-2025-7382

A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxil…

CVSS: 8.8 CWE: CWE-78

2025-07-20

High

CVE-2025-7883

A vulnerability classified as critical has been found in Eluktronics Control Center 5.23.51.41. Affected is an unknown function of the file \AiStoneService\MyControlCenter\Command of the component Po…

CVSS: 7.8 CWE: CWE-74

2025-07-19

Medium

CVE-2025-7836

A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component E…

CVSS: 6.3 CWE: CWE-74

2025-07-18

High

CVE-2025-54073

mcp-package-docs is an MCP (Model Context Protocol) server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol (LSP) c…

CVSS: 7.5 CWE: CWE-77

Medium

CVE-2025-7788

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\execut…

CVSS: 6.3 CWE: CWE-77

2025-07-17

Critical

CVE-2025-52046

Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated at…

CVSS: 9.8 CWE: CWE-77

2025-07-16

Critical

CVE-2025-34132

A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service a…

CVSS: 9.3 CWE: CWE-20

High

CVE-2025-34130

An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows…

CVSS: 8.7 CWE: CWE-200

High

CVE-2025-34129

A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in t…

CVSS: 8.7 CWE: CWE-20

Critical

CVE-2025-34125

An unauthenticated command injection vulnerability exists in the cookie handling process of the lighttpd web server on D-Link DSP-W110A1 firmware version 1.05B01. This occurs when specially crafted c…

CVSS: 9.3 CWE: CWE-78

2025-07-15

Critical

CVE-2025-49836

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py change_label function. path_list takes user i…

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-49835

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number…

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-49834

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_denoise function. denoise_inp_dir and de…

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-49833

GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root and s…

CVSS: 9.8 CWE: CWE-77

Medium

CVE-2025-52379

Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below contains an authenticated command injection vulnerability in the firmware update feature. The /web/um_fileName_set.cgi and /web/um_web…

CVSS: 5.4 CWE: CWE-78

Medium

CVE-2025-52377

Command injection vulnerability in Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below, allowing authenticated attackers to execute arbitrary commands on the device. The vulnerability is…

CVSS: 5.4 CWE: CWE-77

High

CVE-2025-34115

An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can…

CVSS: 8.7 CWE: CWE-20

High

CVE-2025-34113

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar mod…

CVSS: 8.7 CWE: CWE-20

Critical

CVE-2025-34112

An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/commo…

CVSS: 10.0 CWE: CWE-78

Critical

CVE-2025-34103

An unauthenticated command injection vulnerability exists in WePresent WiPG-1000 firmware versions prior to 2.2.3.0, due to improper input handling in the undocumented /cgi-bin/rdfs.cgi endpoint. The…

CVSS: 9.3 CWE: CWE-78

Critical

CVE-2025-3621

Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Ele…

CVSS: 9.6 CWE: CWE-77

2025-07-14

High

CVE-2025-53818

GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in…

CVSS: 8.9 CWE: CWE-78

Medium

CVE-2025-7615

A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. Affected by this vulnerability is the function clearPairCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Re…

CVSS: 6.3 CWE: CWE-74

Medium

CVE-2025-7614

A vulnerability classified as critical has been found in TOTOLINK T6 4.1.5cu.748. Affected is the function delDevice of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The m…

CVSS: 6.3 CWE: CWE-74

Medium

CVE-2025-7613

A vulnerability was found in TOTOLINK T6 4.1.5cu.748. It has been rated as critical. This issue affects the function CloudSrvVersionCheck of the file /cgi-bin/cstecgi.cgi of the component HTTP POST R…

CVSS: 6.3 CWE: CWE-74

Critical

CVE-2025-50756

Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary command…

CVSS: 9.8 CWE: CWE-77

Medium

CVE-2025-7578

A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been declared as critical. This vulnerability affects the function sendCommand of the file runcmd.sh. The…

CVSS: 5.0 CWE: CWE-74

Critical

CVE-2025-7451

The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This vulnerabilit…

CVSS: 9.8 CWE: CWE-78

Medium

CVE-2025-7553

A vulnerability classified as critical has been found in D-Link DIR-818LW up to 20191215. This affects an unknown part of the component System Time Page. The manipulation of the argument NTP Server l…

CVSS: 4.7 CWE: CWE-77

2025-07-13

Medium

CVE-2025-7525

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the comp…

CVSS: 6.3 CWE: CWE-74

Medium

CVE-2025-7524

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP PO…

CVSS: 6.3 CWE: CWE-74

2025-07-11

High

CVE-2013-3307

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port…

CVSS: 8.3 CWE: CWE-78

Medium

CVE-2025-52988

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, loca…

CVSS: 6.7 CWE: CWE-78

Medium

CVE-2025-52994

gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.

CVSS: 4.9 CWE: CWE-78

Critical

CVE-2025-50121

A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folde…

CVSS: 9.5 CWE: CWE-78

2025-07-10

Medium

CVE-2025-7415

A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component htt…

CVSS: 6.3 CWE: CWE-74

Medium

CVE-2025-7414

A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manip…

CVSS: 6.3 CWE: CWE-77

Critical

CVE-2025-34102

A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticat…

CVSS: 9.3 CWE: CWE-20

Critical

CVE-2025-34101

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port…

CVSS: 9.3 CWE: CWE-20

Critical

CVE-2025-34099

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-defa…

CVSS: 9.3 CWE: CWE-20

Critical

CVE-2025-34095

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker ca…

CVSS: 9.3 CWE: CWE-78

High

CVE-2025-34093

An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized…

CVSS: 7.5 CWE: CWE-78

High

CVE-2025-53542

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This i…

CVSS: 7.7 CWE: CWE-78

Medium

CVE-2025-7407

A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os comm…

CVSS: 6.3 CWE: CWE-77

2025-07-08

Medium

CVE-2025-7192

A vulnerability was found in D-Link DIR-645 up to 1.05B01 and classified as critical. This issue affects the function ssdpcgi_main of the file /htdocs/cgibin of the component ssdpcgi. The manipulatio…

CVSS: 6.3 CWE: CWE-74

Medium

CVE-2025-7154

A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. Affected by this issue is the function sub_41A0F8 of the file /cgi-bi…

CVSS: 6.3 CWE: CWE-77

2025-07-06

High

CVE-2025-7097

A vulnerability, which was classified as critical, has been found in Comodo Internet Security Premium 12.3.4.8162. This issue affects some unknown processing of the file cis_update_x64.xml of the com…

CVSS: 8.1 CWE: CWE-77

2025-06-30

Medium

CVE-2025-6899

A vulnerability, which was classified as critical, was found in D-Link DI-7300G+ and DI-8200G 17.12.20A1/19.12.25A1. This affects an unknown part of the file msp_info.htm. The manipulation of the arg…

CVSS: 6.3 CWE: CWE-77

Medium

CVE-2025-6898

A vulnerability, which was classified as critical, has been found in D-Link DI-7300G+ 19.12.25A1. Affected by this issue is some unknown functionality of the file in proxy_client.asp. The manipulatio…

CVSS: 6.3 CWE: CWE-77

Medium

CVE-2025-6896

A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os comma…

CVSS: 6.3 CWE: CWE-77

2025-06-22

Medium

CVE-2025-6485

A vulnerability was found in TOTOLINK A3002R 1.1.1-B20200824.0128. It has been classified as critical. This affects the function formWlSiteSurvey of the file /boafrm/formWlSiteSurvey. The manipulatio…

CVSS: 6.3 CWE: CWE-77

2025-06-20

Medium

CVE-2025-6335

A vulnerability was found in DedeCMS up to 5.7.2 and classified as critical. This issue affects some unknown processing of the file /include/dedetag.class.php of the component Template Handler. The m…

CVSS: 4.7 CWE: CWE-74

2025-06-13

Critical

CVE-2025-45986

Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 werediscovered to contai…

CVSS: 9.8 CWE: CWE-77

2025-06-11

Critical

CVE-2025-32711

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVSS: 9.3 CWE: CWE-77

2025-06-10

High

CVE-2025-31104

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.7, 7.1.0 t…

CVSS: 7.2 CWE: CWE-78

2025-06-09

High

CVE-2025-49141

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently…

CVSS: 8.5 CWE: CWE-78

2025-06-04

Medium

CVE-2025-5571

A vulnerability was found in D-Link DCS-932L 2.18.01. It has been classified as critical. Affected is the function setSystemAdmin of the file /setSystemAdmin. The manipulation of the argument AdminID…

CVSS: 6.3 CWE: CWE-77

2025-06-03

Medium

CVE-2025-5492

A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the com…

CVSS: 6.3 CWE: CWE-74

2025-05-28

High

CVE-2025-1753

LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.syste…

CVSS: 7.8 CWE: CWE-78

2025-05-22

High

CVE-2025-3883

eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of e…

CVSS: 8.8 CWE: CWE-78

High

CVE-2025-3882

eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected install…

CVSS: 8.8 CWE: CWE-78

High

CVE-2025-3881

eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installati…

CVSS: 8.8 CWE: CWE-78

2025-05-05

Critical

CVE-2025-43844

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, among others, take user…

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-43843

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7 and f0method8 take u…

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-43842

Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to command injection. The variables exp_dir1, np7, trainset_dir4 and s…

CVSS: 9.8 CWE: CWE-77

2025-04-30

High

CVE-2024-6032

Tesla Model S Iris Modem ql_atfwd Command Injection Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected Tesla Model S vehicles. An attacker m…

CVSS: 7.8 CWE: CWE-78

2025-04-08

Medium

CVE-2024-54025

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator CLI before version 2.4.6 allows a privileged attacker to…

CVSS: 6.7 CWE: CWE-78

High

CVE-2024-54024

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator before version 2.4.6 allows a privileged attacker with s…

CVSS: 7.2 CWE: CWE-78

2025-03-31

Critical

CVE-2025-22941

A command injection vulnerability in the web interface of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands.

CVSS: 9.8 CWE: CWE-77

Critical

CVE-2025-22939

A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands.

CVSS: 9.8 CWE: CWE-77

2025-03-20

Critical

CVE-2024-8156

A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to i…

CVSS: 9.8 CWE: CWE-94

2025-03-17

High

CVE-2025-22473

Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A l…

CVSS: 7.8 CWE: CWE-77

High

CVE-2025-22472

Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A l…

CVSS: 7.8 CWE: CWE-77

Medium

CVE-2024-48017

Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A h…

CVSS: 6.5 CWE: CWE-77

Medium

CVE-2024-48015

Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A h…

CVSS: 6.7 CWE: CWE-77

High

CVE-2024-48830

Dell SmartFabric OS10 Software, version(s) 10.5.4.x, 10.5.5.x, 10.5.6.x, 10.6.0.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A l…

CVSS: 7.8 CWE: CWE-77

2025-03-14

Medium

CVE-2023-33300

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via…

CVSS: 5.3 CWE: CWE-77

High

CVE-2024-46662

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows att…

CVSS: 8.8 CWE: CWE-77

2025-03-12

High

CVE-2024-13871

A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacen…

CVSS: 8.8 CWE: CWE-77

2025-03-11

High

CVE-2024-55590

Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiIsolator version 2.4.0 through 2.4.5 allows an authentica…

CVSS: 8.8 CWE: CWE-78

Medium

CVE-2024-32123

Multiple improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager, FortiAnalyzer versions 7.4.0 through 7.4.2 7.2.0 through 7.2.5 and 7.0.0…

CVSS: 6.7 CWE: CWE-78

2025-03-02

Medium

CVE-2025-1819

A vulnerability, which was classified as critical, was found in Tenda AC7 1200M 15.03.06.44. Affected is the function TendaTelnet of the file /goform/telnet. The manipulation of the argument lan_ip l…

CVSS: 6.3 CWE: CWE-77

2025-02-11

Medium

CVE-2024-50569

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via craf…

CVSS: 6.6 CWE: CWE-78

High

CVE-2024-50567

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.4.0 through 7.6.0 allows attacker to execute unauthorized code or commands via cra…

CVSS: 7.2 CWE: CWE-78

High

CVE-2024-40584

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0…

CVSS: 7.2 CWE: CWE-78

2025-02-05

High

CVE-2025-23239

When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a securit…

CVSS: 8.7 CWE: CWE-77

High