CWE-88 · Argument Injection
375 CVEs classified under CWE-88 (Argument Injection). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-40281 | Critical | 10.0 | 2026-05-06 | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control char… |
CVE-2024-24576 | Critical | 10.0 | 2024-04-09 | Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape argum… |
CVE-2023-6269 | Critical | 10.0 | 2023-12-05 | An argument injection vulnerability has been identified in the administrative web interface of the Atos Unify OpenScape products "Session Border Controller" (… |
CVE-2026-47365 | Critical | 9.9 | 2026-06-12 | Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authoriza… |
CVE-2026-44450 | Critical | 9.9 | 2026-05-26 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary n… |
CVE-2024-47553 | Critical | 9.9 | 2024-10-08 | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate user input to the ``… |
CVE-2024-39930 | Critical | 9.9 | 2024-07-04 | The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can… |
CVE-2018-3856 | Critical | 9.9 | 2018-08-23 | An exploitable vulnerability exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The device i… |
CVE-2026-40079 | Critical | 9.8 | 2026-06-25 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization i… |
CVE-2026-31230 | Critical | 9.8 | 2026-05-12 | The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_… |
CVE-2026-42601 | Critical | 9.8 | 2026-05-09 | ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config J… |
CVE-2026-6951 | Critical | 9.8 | 2026-04-25 | Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.s… |
CVE-2026-22738 | Critical | 9.8 | 2026-03-27 | In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could… |
CVE-2026-32304 | Critical | 9.8 | 2026-03-13 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes… |
CVE-2026-27613 | Critical | 9.8 | 2026-02-25 | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass… |
CVE-2025-70327 | Critical | 9.8 | 2026-02-23 | TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The i… |
CVE-2026-22583 | Critical | 9.8 | 2026-01-24 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module… |
CVE-2026-22582 | Critical | 9.8 | 2026-01-24 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module)… |
CVE-2026-24061 | Critical | 9.8 | 2026-01-21 | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. |
CVE-2025-52480 | Critical | 9.8 | 2025-06-25 | Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the cl… |