#command-injection
10 articles
This archive collects 11 articles tagged command-injection published between April 14, 2026 and June 9, 2026, giving security teams a focused view of how this topic has appeared across ZCyberNews coverage. Recent coverage references CVE-2026-31246, CVE-2021-47949, and CVE-2026-3854, with each report tied to the specific vulnerability context available in the source article. The affected-scope signals emphasize software development, technology, and telecommunications across Global, helping readers compare exposure patterns without adding claims beyond the archive data. Severity coverage includes 4 critical, 6 high, and 1 medium reports.
HIGHCVE-2026-42271: LiteLLM Flaw Exploited in the Wild, CISA Adds to KEV
CISA added CVE-2026-42271 (CVSS 8.7) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation against BerriAI LiteLLM deployments.
CRITICALGPT-Pilot Command Injection Flaw CVE-2026-31246 Lets Users Execute
CVE-2026-31246 (CVSS 9.8) in GPT-Pilot's Executor.run() passes unvalidated user input to asyncio.createsubprocessshell(), enabling arbitrary command injection during project...
HIGHTenda AC6 Command Injection Flaw CVE-2026-8263 Lets Attackers Execute
CVE-2026-8263 (CVSS 5.8) in Tenda AC6 firmware 15.03.06.49multiTDE01 allows unauthenticated remote OS command injection via the /goform/WifiExtraSet endpoint.
HIGHTenda AC6 Router Flaws Enable Remote Command Injection
Two command injection vulnerabilities in Tenda AC6 firmware 15.03.06.23 let remote attackers execute arbitrary OS commands via the getLogFile and formWifiApScan functions.
HIGHCyberPanel 2.1 Flaw Lets Authenticated Attackers Execute Remote Code
CVE-2021-47949 (CVSS 8.8) in CyberPanel 2.1 lets authenticated attackers read arbitrary files and execute code via symlink attacks through the filemanager controller endpoint.
MEDIUMCVE-2024-30167: Atlona Matrix Switcher Flaw Lets Authenticated Users
CVE-2024-30167 (CVSS 6.3): Authenticated users can execute arbitrary commands as root on Atlona AT-OME-MS42 Matrix Switcher 1.1.2 via a crafted POST to /cgi-bin/time.cgi.
HIGHGitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
CVE-2026-3854 (CVSS 8.7) lets authenticated users with push access achieve remote code execution on GitHub.com and GitHub Enterprise Server via a crafted git push command.
CRITICALPoC Exploit Released for Critical FortiSandbox Command Injection Flaw
A proof-of-concept exploit for CVE-2026-39808, a critical command injection vulnerability in Fortinet FortiSandbox, has been released. The flaw allows unauthenticated attackers to execute arbitrary OS commands as root.
CRITICALTP-Link Router Flaw Exploited by Mirai Botnet Variant
Attackers are exploiting CVE-2023-33538, a command injection flaw in TP-Link Archer AX21 routers, to deploy a Mirai botnet variant. The campaign hijacks devices for DDoS attacks and credential theft.
HIGHCritical PHP Composer Flaws Allow Remote Command Execution via Perforce Driver
Two high-severity command injection vulnerabilities (CVE-2026-40176, CVE-2026-40177) in PHP Composer's Perforce driver enable arbitrary command execution on developer systems during package operations.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.