VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 19 of 78
  • CVE-2016-2875HigAug 8, 2016
    risk 0.57cvss 8.8epss 0.02

    IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote authenticated users to execute arbitrary OS commands as root via unspecified vectors.

  • CVE-2016-2332HigApr 25, 2016
    risk 0.57cvss 8.8epss 0.03

    flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter.

  • CVE-2026-30624HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the…

  • CVE-2026-30617HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands…

  • CVE-2026-5463HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.02

    Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute…

  • CVE-2025-5113HigJun 2, 2025
    risk 0.56cvss epss 0.07

    The Diviotec professional series exposes a web interface. One endpoint is vulnerable to arbitrary command injection and hardcoded passwords are used.

  • CVE-2025-4010HigJun 2, 2025
    risk 0.56cvss epss 0.01

    The Netcom NTC 6200 and NWL 222 series expose a web interface to be configured and set up by operators. Multiple endpoints of the web interface are vulnerable to arbitrary command injection and use insecure hardcoded passwords. Remote authenticated attackers can gain arbitrary…

  • CVE-2015-5003HigJan 3, 2016
    risk 0.56cvss 8.5epss 0.03

    The portal in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 before FP7 allows remote authenticated users to execute arbitrary commands by leveraging Take Action view authority and providing crafted input.

  • CVE-2026-45628CriMay 29, 2026
    risk 0.55cvss 9.6epss 0.00

    Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and…

  • CVE-2026-2740HigMay 21, 2026
    risk 0.55cvss 8.4epss 0.02

    Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.

  • CVE-2024-45257HigMay 8, 2026
    risk 0.55cvss 7.3epss 0.04

    A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.

  • CVE-2026-4048HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.02

    OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file…

  • CVE-2026-3519HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.02

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

  • CVE-2026-3518HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.03

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

  • CVE-2026-3517HigApr 20, 2026
    risk 0.55cvss 8.4epss 0.18

    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry'…

  • CVE-2024-53412HigApr 15, 2026
    risk 0.55cvss 8.4epss 0.01

    Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field

  • CVE-2025-11921HigNov 24, 2025
    risk 0.55cvss epss 0.01

    iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4.

  • CVE-2025-41250HigSep 29, 2025
    risk 0.55cvss 8.5epss 0.01

    VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks.

  • CVE-2025-59817HigSep 25, 2025
    risk 0.55cvss 8.4epss 0.00

    This vulnerability allows attackers to execute arbitrary commands on the underlying system. Because the web portal runs with root privileges, successful exploitation grants full control over the device, potentially compromising its availability, confidentiality, and integrity.

  • CVE-2025-59815HigSep 25, 2025
    risk 0.55cvss 8.4epss 0.00

    This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device’s availability, confidentiality, and integrity.