Metasploit Exploits
3,315 exploits tracked across all sources.
Nagios XI 5.7.3 - Command Injection
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
by Chris Lyne, Erik Wynter
CVSS 7.2
VMware vRealize Log Insight 3.0-4.8 - Unauthenticated Exposure of Sensitive Session Information
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
by Horizon3.ai Attack Team
CVSS 5.3
MajorDoMo < 2023-11-15 - Remote Code Execution via thumb.php Shell Metacharacters
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
by Valentin Lobstein, smcintyre-r7
CVSS 9.8
GNU C Library <2.39 - Buffer Overflow
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
by Sergey Temnikov, Charles Fol, Heyder, jheysel-r7
CVSS 7.3
Crestron Am-100 Firmware < 2.4.1.19 - OS Command Injection
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
CVSS 9.8
IPFire < 2.19 Core Update 101 - Authenticated Remote Command Execution via proxy.cgi NCSA User Creation Form
A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.
by h00die <[email protected]>, Yann CAM
Authenticated RCE in Splunk (splunk_archiver app)
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or power Splunk roles could cause a Remote Code Execution through an external lookup that references the “splunk_archiver“ application.
by Maksim Rogov, Alex Hordijk, psytester
CVSS 8.8
Palo Alto Networks Expedition 1.2.0-1.2.95 - Authenticated OS Command Injection
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
by Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell
CVSS 6.5
MotionEye <= 0.43.1b4 - Authenticated Configuration Command Injection
MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.
by Maksim Rogov, prabhatverma47
CVSS 7.2
Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
by Richard Warren, Christophe De La Fuente
CVSS 8.8
IBM Security QRadar SIEM <7.4 - Auth Bypass
IBM Security QRadar SIEM 7.2 and 7.3 could allow a user to bypass authentication which could lead to code execution. IBM X-Force ID: 138824.
by Pedro Ribeiro <[email protected]>
CVSS 8.8
Xorcom CompletePBX <5.2.35 - Command Injection
Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user.
This issue affects CompletePBX: all versions up to and prior to 5.2.35
by Valentin Lobstein
CVSS 8.8
SolarView Compact Firmware <= 6.00 - Remote Command Execution via downloader.php
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
CVSS 9.8
Hak5 WiFi Pineapple 2.0-2.3 - Predictable CSRF Token
Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens.
by catatonicprime
CVSS 7.5
Hikvision IP Camera Unauthenticated Command Injection
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
by Watchful_IP, bashis, jbaines-r7
CVSS 9.8
Cisco RV Series Firmware - Unauthenticated RCE and Auth Bypass
Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
by Takeshi Shiomitsu, jbaines-r7
CVSS 5.3
SaltStack Salt < 3002.5 - Unauthenticated Remote Command Execution via wheel_async Client
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
by Alex Seymour, Christophe De La Fuente
CVSS 9.8
Ivanti Connect Secure <22.7R2.5 - RCE
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
by Stephen Fewer, Christophe De La Fuente
CVSS 9.0
Unauthenticated RCE in NetAlertX
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
by Chebuya (Rhino Security Labs), Takahiro Yokoyama
CVSS 10.0
Netis Wifi Router - Info Disclosure
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the parameter password at the change admin password page at the router web interface.
CVSS 7.5
Pandora FMS 774-778 - OS Command Injection via Netflow Directory Field
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
by msutovsky-r7
CVSS 9.8
DD-WRT < 24 - Remote Code Execution via CGI-BIN URI Shell Metacharacters
httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.
by gat3way, hdm
Symantec Web Gateway < 5.0.3 - Remote Code Execution via Management GUI Script Access
The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.
by Unknown, muts, sinn3r
Eir D1000 Modem Firmware - Remote Code Execution via TR-064 Protocol
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
by Kenzo
CVSS 9.8
Invoice Ninja < 5.10.43 - Unauthenticated Remote Code Execution via Route Hash Deserialization
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.
CVSS 8.8
By Source