command injection

CVE-2026-35386 is a reminder that not every security flaw is a smash-and-grab bug. In this case, Microsoft’s update guide language points to an issue whose successful exploitation depends on conditions outside the attacker’s direct control, meaning the exploit path is not universally reliable or...

CVE-2026-32241 is a reminder that Kubernetes networking can become a shell-command problem in a hurry. The flaw affects Flannel’s experimental Extension backend and can let an attacker with the right Node annotation permissions trigger root-level code execution across nodes in the cluster...

The CVE number you followed — CVE-2026-32778 — does not appear in Microsoft's Security Update Guide; the vulnerability most likely being referenced is CVE-2025-32778, a critical command injection in the Web‑Check OSINT tool that allows unauthenticated remote code execution via its screenshot API...

A disputed local command-injection flaw tracked as CVE-2022-45639 has been associated with The Sleuth Kit’s fls utility (version 4.11.1): multiple vulnerability databases record a proof‑of‑concept showing that a specially crafted value passed to the fls tool’s -m option can cause shell...

Git’s cvsserver subcommand contained a dangerous, long-lived flaw: unsafe Perl scripts allowed shell metacharacters in a module name to become OS commands, enabling remote command execution — a vulnerability tracked as CVE-2017-14867 that affected multiple Git release lines and was reachable...

GitHub’s Copilot integration for JetBrains IDEs has been linked to a high‑severity command‑injection / remote code‑execution class flaw that can allow attacker‑controlled content to become executable on a developer’s workstation, and vendor tracking entries (including Microsoft’s Update Guide)...

The Ilevia EVE X1 Server family has been the subject of a coordinated advisory that lists multiple high‑severity vulnerabilities in firmware versions up to and including 4.7.18.0. These flaws—ranging from pre‑auth file disclosure and path traversal to unauthenticated OS command injection...

A critical, high‑impact vulnerability in Johnson Controls’ Metasys product line — tracked as CVE‑2025‑26385 in vendor advisories — demands immediate attention from building‑automation teams, Windows administrators, and any organization that uses Metasys ADS/ADX servers, LCS/NAE appliances or the...

Delta Electronics’ DIAView has a command-injection flaw that lets project files execute shell commands, creating a direct path from a crafted project to arbitrary code running on Windows engineering hosts — a serious escalation risk for industrial control systems that rely on trusted engineering...

Johnson Controls’ iSTAR family of door controllers has been the subject of another high‑severity advisory cycle: the CSAF packet you provided describes remote‑exploitable command‑injection weaknesses and related firmware‑verification and credential‑handling flaws that could allow attackers to...

A newly recorded high-severity vulnerability, tracked as CVE-2025-64671, affects GitHub Copilot integrations for JetBrains IDEs and is described as a command-injection flaw that can lead to local code execution under an interactive user account — a class of bug that elevates risk for developer...

Microsoft and third‑party trackers have published a high‑severity advisory for CVE‑2025‑62222: a command‑injection (remote code execution) flaw in the Visual Studio Code Copilot Chat / agentic AI extension that can be triggered by attacker‑controlled prompt or repository content and, under...

Two newly disclosed, high‑severity flaws in the Viessmann Vitogate 300 — tracked as CVE‑2025‑9494 and CVE‑2025‑9495 — expose widely deployed gateway devices to OS command injection and client‑side authentication bypass vulnerabilities, creating realistic paths to full device compromise for...

Westermo’s WeOS 5 series has a newly disclosed high‑severity vulnerability that deserves immediate attention from industrial network operators and Windows network teams responsible for OT‑IT convergence, because it can be used to inject operating‑system commands when an attacker can reach an...

Schneider Electric has published coordinated advisories describing two OS command injection flaws in the BLMon monitoring console used by Saitel DR and Saitel DP Remote Terminal Units (RTUs), vulnerabilities that allow authenticated console users to inject and execute arbitrary shell commands...

A high‑risk elevation‑of‑privilege vulnerability affecting Microsoft Azure Arc has been disclosed and patched — but the public tracking and identifier details are messy, and administrators must act now to confirm which of their Arc installations are affected, apply vendor fixes, and harden local...

CISA’s KEV catalog grew again this week with the addition of two high‑risk router flaws tied to active exploitation, underscoring an uncomfortable reality for IT teams: inexpensive consumer and small‑office routers remain a prime target for adversaries and can pose outsized risk to enterprise...

CISA has formally added CVE-2025-54948 — a critical OS command injection in Trend Micro Apex One’s on‑premises Management Console — to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and triggering accelerated remediation expectations for federal...

Siemens’ RUGGEDCOM APE1808 appliances carry high‑risk management‑plane vulnerabilities that can let an authenticated administrator—or an attacker who gains elevated credentials—execute arbitrary operating‑system commands and escalate local service privileges, creating a significant threat to...

CISA’s decision to add two newly assigned CVEs affecting N‑able’s N‑central — CVE‑2025‑8875 (insecure deserialization) and CVE‑2025‑8876 (command injection) — to the Known Exploited Vulnerabilities (KEV) Catalog elevates those flaws from vendor-tracked issues to agency‑mandated remediation...