command injection

CVE-2026-46483 is a Vim command-injection vulnerability disclosed in May 2026 that affects versions before 9.2.0479, where Vim’s tar archive helper can mishandle specially crafted .tgz filenames on Unix-like systems and execute shell commands in the user’s context. The flaw is not a remote worm...

CVE-2026-7246 is a high-severity command-injection flaw disclosed April 30, 2026, in Pallets Click’s click.edit() helper, affecting Python package versions before 8.3.3 and allowing attacker-controlled filenames to escape quoting and run operating-system commands on the user’s local machine. The...

Siemens and CISA warned in mid-May 2026 that RUGGEDCOM ROX devices running versions earlier than 2.17.1 contain a critical Scheduler input-validation flaw that lets an authenticated remote attacker execute arbitrary operating-system commands as root. The advisory lands squarely in the...

Microsoft disclosed CVE-2026-42893 on May 12, 2026, as an Important-rated tampering vulnerability affecting Microsoft Outlook for iOS, with a fixed build listed as 5.2617.1 and customer action required through the App Store security update. The more interesting story is not merely that Outlook...

Microsoft published CVE-2026-35428 on May 7, 2026, describing a critical Azure Cloud Shell spoofing vulnerability caused by command-injection weakness, already mitigated by Microsoft, requiring no customer action, and assessed with confirmed report confidence but no public disclosure or...

CVE-2026-35386 is a reminder that not every security flaw is a smash-and-grab bug. In this case, Microsoft’s update guide language points to an issue whose successful exploitation depends on conditions outside the attacker’s direct control, meaning the exploit path is not universally reliable or...

CVE-2026-32241 is a reminder that Kubernetes networking can become a shell-command problem in a hurry. The flaw affects Flannel’s experimental Extension backend and can let an attacker with the right Node annotation permissions trigger root-level code execution across nodes in the cluster...

The CVE number you followed — CVE-2026-32778 — does not appear in Microsoft's Security Update Guide; the vulnerability most likely being referenced is CVE-2025-32778, a critical command injection in the Web‑Check OSINT tool that allows unauthenticated remote code execution via its screenshot API...

A disputed local command-injection flaw tracked as CVE-2022-45639 has been associated with The Sleuth Kit’s fls utility (version 4.11.1): multiple vulnerability databases record a proof‑of‑concept showing that a specially crafted value passed to the fls tool’s -m option can cause shell...

Git’s cvsserver subcommand contained a dangerous, long-lived flaw: unsafe Perl scripts allowed shell metacharacters in a module name to become OS commands, enabling remote command execution — a vulnerability tracked as CVE-2017-14867 that affected multiple Git release lines and was reachable...

GitHub’s Copilot integration for JetBrains IDEs has been linked to a high‑severity command‑injection / remote code‑execution class flaw that can allow attacker‑controlled content to become executable on a developer’s workstation, and vendor tracking entries (including Microsoft’s Update Guide)...

The Ilevia EVE X1 Server family has been the subject of a coordinated advisory that lists multiple high‑severity vulnerabilities in firmware versions up to and including 4.7.18.0. These flaws—ranging from pre‑auth file disclosure and path traversal to unauthenticated OS command injection...

A critical, high‑impact vulnerability in Johnson Controls’ Metasys product line — tracked as CVE‑2025‑26385 in vendor advisories — demands immediate attention from building‑automation teams, Windows administrators, and any organization that uses Metasys ADS/ADX servers, LCS/NAE appliances or the...

Delta Electronics’ DIAView has a command-injection flaw that lets project files execute shell commands, creating a direct path from a crafted project to arbitrary code running on Windows engineering hosts — a serious escalation risk for industrial control systems that rely on trusted engineering...

Johnson Controls’ iSTAR family of door controllers has been the subject of another high‑severity advisory cycle: the CSAF packet you provided describes remote‑exploitable command‑injection weaknesses and related firmware‑verification and credential‑handling flaws that could allow attackers to...

A newly recorded high-severity vulnerability, tracked as CVE-2025-64671, affects GitHub Copilot integrations for JetBrains IDEs and is described as a command-injection flaw that can lead to local code execution under an interactive user account — a class of bug that elevates risk for developer...

Microsoft and third‑party trackers have published a high‑severity advisory for CVE‑2025‑62222: a command‑injection (remote code execution) flaw in the Visual Studio Code Copilot Chat / agentic AI extension that can be triggered by attacker‑controlled prompt or repository content and, under...

Two newly disclosed, high‑severity flaws in the Viessmann Vitogate 300 — tracked as CVE‑2025‑9494 and CVE‑2025‑9495 — expose widely deployed gateway devices to OS command injection and client‑side authentication bypass vulnerabilities, creating realistic paths to full device compromise for...

Westermo’s WeOS 5 series has a newly disclosed high‑severity vulnerability that deserves immediate attention from industrial network operators and Windows network teams responsible for OT‑IT convergence, because it can be used to inject operating‑system commands when an attacker can reach an...

Schneider Electric has published coordinated advisories describing two OS command injection flaws in the BLMon monitoring console used by Saitel DR and Saitel DP Remote Terminal Units (RTUs), vulnerabilities that allow authenticated console users to inject and execute arbitrary shell commands...