VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 12 of 78
  • CVE-2025-26385CriJan 30, 2026
    risk 0.62cvss epss 0.01

    Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys:…

  • CVE-2025-3621CriJul 15, 2025
    risk 0.62cvss 9.6epss 0.01

    Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems.  * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded…

  • CVE-2016-8523HigFeb 15, 2018
    risk 0.62cvss 8.8epss 0.17

    A Remote Arbitrary Code Execution vulnerability in HPE Smart Storage Administrator version before v2.60.18.0 was found.

  • CVE-2015-8257HigMay 2, 2017
    risk 0.62cvss 8.8epss 0.18

    The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.

  • CVE-2026-22755CriJan 13, 2026
    risk 0.61cvss epss 0.21

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382,…

  • CVE-2025-29628CriJul 25, 2025
    risk 0.61cvss 9.4epss 0.00

    A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vulnerable to interception and…

  • CVE-2025-4009CriMay 28, 2025
    risk 0.61cvss epss 0.75

    The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and…

  • CVE-2023-5878CriFeb 6, 2025
    risk 0.61cvss epss 0.01

    Honeywell OneWireless Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command injection vulnerability. An attacker who is authenticated could use the firmware update process to potentially exploit the…

  • CVE-2024-7397CriAug 5, 2024
    risk 0.61cvss epss 0.01

    Improper filering of special characters result in a command ('command injection') vulnerability in Korenix JetPort 5601v3.This issue affects JetPort 5601v3: through 1.2.

  • CVE-2024-38492CriJul 15, 2024
    risk 0.61cvss epss 0.01

    This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

  • CVE-2024-4999CriMay 16, 2024
    risk 0.61cvss epss 0.12

    A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through…

  • CVE-2017-6048HigMay 19, 2017
    risk 0.61cvss 8.8epss 0.16

    A Command Injection issue was discovered in Satel Iberia SenNet Data Logger and Electricity Meters: SenNet Optimal DataLogger V5.37c-1.43c and prior, SenNet Solar Datalogger V5.03-1.56a and prior, and SenNet Multitask Meter V5.21a-1.18b and prior. Successful exploitation of this…

  • CVE-2016-0861HigFeb 5, 2016
    risk 0.61cvss 8.8epss 0.14

    General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.

  • CVE-2026-41090CriMay 22, 2026
    risk 0.60cvss 9.3epss 0.00

    Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

  • CVE-2026-44257CriMay 12, 2026
    risk 0.60cvss epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and…

  • CVE-2025-61584CriSep 30, 2025
    risk 0.60cvss epss 0.00

    serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the…

  • CVE-2025-10364CriSep 12, 2025
    risk 0.60cvss epss 0.06

    The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and…

  • CVE-2025-7769HigAug 6, 2025
    risk 0.60cvss epss 0.16

    Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to…

  • CVE-2025-29635HigKEVMar 25, 2025
    risk 0.60cvss 7.2epss 0.87

    A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.

  • CVE-2024-51442HigJan 8, 2025
    risk 0.60cvss 8.8epss 0.02

    Command Injection in Minidlna version v1.3.3 and before allows an attacker to execute arbitrary OS commands via a specially crafted minidlna.conf configuration file.