CVE-2026-1665 - Command Injection in nvm via NVM_AUTH_HEADER in wget code path
CVE ID : CVE-2026-1665
Published : Jan. 29, 2026, 11:16 p.m. | 9 hours, 9 minutes ago
Description : A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1665
Published : Jan. 29, 2026, 11:16 p.m. | 9 hours, 9 minutes ago
Description : A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1638 - Tenda AC21 mDMZSetCfg command injection
CVE ID : CVE-2026-1638
Published : Jan. 30, 2026, 12:15 a.m. | 8 hours, 9 minutes ago
Description : A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1638
Published : Jan. 30, 2026, 12:15 a.m. | 8 hours, 9 minutes ago
Description : A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15322 - Tanium addressed an improper access controls vulnerability in Tanium Server.
CVE ID : CVE-2025-15322
Published : Jan. 30, 2026, 1:15 a.m. | 7 hours, 9 minutes ago
Description : Tanium addressed an improper access controls vulnerability in Tanium Server.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15322
Published : Jan. 30, 2026, 1:15 a.m. | 7 hours, 9 minutes ago
Description : Tanium addressed an improper access controls vulnerability in Tanium Server.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24714 - NETGEAR Telnet Enable Remote Command Execution
CVE ID : CVE-2026-24714
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24714
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Some end of service NETGEAR products provide "TelnetEnable" functionality, which allows a magic packet to activate telnet service on the box.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24728 - Interinfo DreamMaker - Missing Authentication for Critical Function
CVE ID : CVE-2026-24728
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24728
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24729 - Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type
CVE ID : CVE-2026-24729
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24729
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25090 - Apache HTTP Server Cross-Site Request Forgery
CVE ID : CVE-2026-25090
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25090
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25091 - Cisco Webex Meeting Server Stored XSS
CVE ID : CVE-2026-25091
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25091
Published : Jan. 30, 2026, 5:16 a.m. | 3 hours, 9 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1395 - Sensitive Data Exposure in CoDeriApp's HeyGarson
CVE ID : CVE-2025-1395
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1395
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping.This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21418 - Dell Unity OS Command Injection
CVE ID : CVE-2026-21418
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21418
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22277 - Dell UnityVSA OS Command Injection
CVE ID : CVE-2026-22277
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22277
Published : Jan. 30, 2026, 9:15 a.m. | 3 hours, 10 minutes ago
Description : Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1699 - Eclipse Theia GitHub Actions Code Execution Vulnerability
CVE ID : CVE-2026-1699
Published : Jan. 30, 2026, 10:15 a.m. | 2 hours, 10 minutes ago
Description : In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1699
Published : Jan. 30, 2026, 10:15 a.m. | 2 hours, 10 minutes ago
Description : In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-26385 - Metasys product command injection vulnerability could allow remote SQL execution
CVE ID : CVE-2025-26385
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
Severity: 9.5 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-26385
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
Severity: 9.5 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0709 - Hikvision Wireless Access Points Command Injection Vulnerability
CVE ID : CVE-2026-0709
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0709
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22623 - HIKSEMI NAS Command Injection
CVE ID : CVE-2026-22623
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22623
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22624 - HIKSEMI NAS Authentication Bypass
CVE ID : CVE-2026-22624
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22624
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22625 - HIKSEMI NAS File Exposure Vulnerability
CVE ID : CVE-2026-22625
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22625
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22626 - HIKSEMI NAS Unvalidated Request Manipulation
CVE ID : CVE-2026-22626
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22626
Published : Jan. 30, 2026, 11:15 a.m. | 1 hour, 10 minutes ago
Description : Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13176 - Local privilege escalation in ESET Inspect Connector for Windows
CVE ID : CVE-2025-13176
Published : Jan. 30, 2026, 1:15 p.m. | 3 hours, 11 minutes ago
Description : Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13176
Published : Jan. 30, 2026, 1:15 p.m. | 3 hours, 11 minutes ago
Description : Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1498 - WatchGuard Firebox LDAP Injection
CVE ID : CVE-2026-1498
Published : Jan. 30, 2026, 1:15 p.m. | 3 hours, 11 minutes ago
Description : An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase.This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1498
Published : Jan. 30, 2026, 1:15 p.m. | 3 hours, 11 minutes ago
Description : An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user's valid passphrase.This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6723 - Untrusted user data can lead to privilege escalation
CVE ID : CVE-2025-6723
Published : Jan. 30, 2026, 2:16 p.m. | 2 hours, 10 minutes ago
Description : Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6723
Published : Jan. 30, 2026, 2:16 p.m. | 2 hours, 10 minutes ago
Description : Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...