CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2025-55182(2)	High	71.1%	MetaReact Server Components	Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.	Dec 5, 2025	KEV
CVE-2025-48703	High	46.4%	CWPControl Web Panel	CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.	Nov 4, 2025	KEV
CVE-2025-55177	High	0.9%	Meta PlatformsWhatsApp	Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.	Sep 2, 2025	KEV
CVE-2025-42999	High	70.3%	SAPNetWeaver	SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.	May 15, 2025	KEV
CVE-2025-31324(1)	High	35.3%	SAPNetWeaver	SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.	Apr 29, 2025	KEV
CVE-2024-50603	High	94.4%	AviatrixControllers	Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.	Jan 16, 2025	KEV
CVE-2018-14933	High	93.9%	NUUONVRmini Devices	NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.	Dec 18, 2024	KEV
CVE-2024-51378	High	93.9%	CyberPersonsCyberPanel	CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.	Dec 4, 2024	KEV
CVE-2021-41277	High	94.4%	MetabaseMetabase	Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.	Nov 12, 2024	KEV
CVE-2020-15415	High	93.0%	DrayTekMultiple Vigor Routers	DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.	Sep 30, 2024	KEV
CVE-2016-3714	High	93.7%	ImageMagickImageMagick	ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.	Sep 9, 2024	KEV
CVE-2021-36380	High	93.6%	SunhilloSureLine	Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.	Mar 5, 2024	KEV
CVE-2023-28434	High	39.0%	MinIOMinIO	MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.	Sep 19, 2023	KEV
CVE-2019-20500	High	92.2%	D-LinkDWL-2600AP Access Point	D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.	Jun 29, 2023	KEV
CVE-2020-12641	High	93.1%	RoundcubeRoundcube Webmail	Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.	Jun 22, 2023	KEV
CVE-2023-26083	High	7.1%	ArmMali Graphics Processing Unit (GPU)	Arm Mali GPU Kernel Driver contains an information disclosure vulnerability that allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.	Apr 7, 2023	KEV
CVE-2022-44877	High	94.5%	CWPControl Web Panel	CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.	Jan 17, 2023	KEV
CVE-2019-18426	High	55.3%	Meta PlatformsWhatsApp	A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.	May 23, 2022	KEV
CVE-2019-3568	High	47.4%	Meta PlatformsWhatsApp	A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.	Apr 19, 2022	KEV
CVE-2018-15982	High	93.8%	AdobeFlash Player	Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability	Feb 15, 2022	KEV

CVE-2025-55182KEV

High

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

MetaEPSS 71.1%

CVE-2025-48703KEV

High

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

CWPEPSS 46.4%

CVE-2025-55177KEV

High

Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

Meta PlatformsEPSS 0.9%

CVE-2025-42999KEV

High

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

SAPEPSS 70.3%

CVE-2025-31324KEV

High

SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.

SAPEPSS 35.3%

CVE-2024-50603KEV

High

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

AviatrixEPSS 94.4%

CVE-2018-14933KEV

High

NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

NUUOEPSS 93.9%

CVE-2024-51378KEV

High

CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.

CyberPersonsEPSS 93.9%

CVE-2021-41277KEV

High

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

MetabaseEPSS 94.4%

CVE-2020-15415KEV

High

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

DrayTekEPSS 93.0%

CVE-2016-3714KEV

High

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

ImageMagickEPSS 93.7%

CVE-2021-36380KEV

High

Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.

SunhilloEPSS 93.6%

CVE-2023-28434KEV

High

MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.

MinIOEPSS 39.0%

CVE-2019-20500KEV

High

D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.

D-LinkEPSS 92.2%

CVE-2020-12641KEV

High

Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

RoundcubeEPSS 93.1%

CVE-2023-26083KEV

High

Arm Mali GPU Kernel Driver contains an information disclosure vulnerability that allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

ArmEPSS 7.1%

CVE-2022-44877KEV

High

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.

CWPEPSS 94.5%

CVE-2019-18426KEV

High

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.

Meta PlatformsEPSS 55.3%

CVE-2019-3568KEV

High

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

Meta PlatformsEPSS 47.4%

CVE-2018-15982KEV

High

Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability

AdobeEPSS 93.8%

1 2