NVD HIGH: CVE-2022-50994 — DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command inje...

Friday, May 8, 2026 at 01:16 PM UTC·Source: NIST NVD

Updated: Thursday, May 14, 2026 at 05:00 AM UTC

Executive Summary

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges

Analysis

Indicators of Compromise (2)

CVE (1)

CVE-2022-50994

NVD MITRE CVE

IPv4 (1)

1.5.1.4

VirusTotal Shodan AbuseIPDB

Source Attribution

Originally published by NIST NVD on May 8, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel

Bulletin ID: 2026-029-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/13/2026 18:45 PM PDT This is an ongoing issue. Information is subject to change. Please refer to our Security Bulletin (ID: 2026-030-AWS) for the most updated patching information. Description: Amazon is aware of CVE-20

CVE-2026-46300CVE-2026-43284

3h agoAWS Security Bulletins

LOWVulnerability

Ongoing updates on Copy.fail and variants

Bulletin ID: 2026-030-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/13/2026 10:00 PM PDT This is an ongoing issue. This bulletin will be updated as more information becomes available. Description: AWS is aware of the copy.fail or DirtyFrag class of issues - a set of privilege escalation

3h agoAWS Security Bulletins

MEDIUMVulnerability

Bunq applies for Mexican banking license

Bunq, the European neobank for "global citizens", has applied for a Mexican banking license.

5h agoFinextra