CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 20 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49565 | Hig | 0.55 | 8.4 | 0.01 | Sep 18, 2025 | The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command injection. These headers are directly utilized within the subprocess.Popen… | ||
| CVE-2025-7388 | Hig | 0.55 | 8.4 | 0.01 | Sep 4, 2025 | It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process. An RMI interface permitted manipulation of a… | ||
| CVE-2024-48214 | Hig | 0.55 | 8.4 | 0.01 | Oct 30, 2024 | KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD,… | ||
| CVE-2024-4578 | Hig | 0.55 | 8.4 | 0.00 | Jun 27, 2024 | This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require… | ||
| CVE-2016-4922 | Hig | 0.55 | 8.4 | 0.00 | Oct 13, 2017 | Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow unauthorized access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and… | ||
| CVE-2026-30461 | Hig | 0.54 | 8.3 | 0.01 | Apr 15, 2026 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. | ||
| CVE-2025-54994 | Cri | 0.54 | — | 0.01 | Sep 8, 2025 | @akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and… | ||
| CVE-2025-4653 | Hig | 0.54 | — | 0.02 | Jun 10, 2025 | Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105. | ||
| CVE-2025-46816 | Cri | 0.54 | 9.4 | 0.01 | May 6, 2025 | goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing… | ||
| CVE-2024-5023 | Cri | 0.54 | — | 0.01 | May 16, 2024 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0. | ||
| CVE-2026-48694 | Hig | 0.53 | 8.1 | 0.00 | May 26, 2026 | FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF… | ||
| CVE-2026-34259 | Hig | 0.53 | 8.2 | 0.00 | May 12, 2026 | Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the… | ||
| CVE-2026-20761 | Hig | 0.53 | 8.1 | 0.01 | Feb 20, 2026 | A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device. | ||
| CVE-2025-24293 | — | Cri | 0.53 | — | 0.02 | Jan 30, 2026 | # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the… | |
| CVE-2025-60595 | Hig | 0.53 | 8.2 | 0.00 | Oct 29, 2025 | SPH Engineering UgCS 5.13.0 is vulnerable to Arbitary code execution. | ||
| CVE-2025-52690 | — | Hig | 0.53 | 8.1 | 0.09 | Jul 16, 2025 | Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. | |
| CVE-2025-43858 | Cri | 0.53 | 9.2 | 0.00 | Apr 24, 2025 | YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt… | ||
| CVE-2024-27980 | — | Hig | 0.53 | 8.1 | 0.01 | Jan 9, 2025 | Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | |
| CVE-2024-36138 | Hig | 0.53 | 8.1 | 0.01 | Sep 7, 2024 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even… | ||
| CVE-2024-5565 | Hig | 0.53 | 8.1 | 0.15 | May 31, 2024 | The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s… |
- risk 0.55cvss 8.4epss 0.01
The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint. Improper sanitization of the HTTP Headers X-FILENAME, X-PAGE, and X-FIELD allows for command injection. These headers are directly utilized within the subprocess.Popen…
- risk 0.55cvss 8.4epss 0.01
It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process. An RMI interface permitted manipulation of a…
- risk 0.55cvss 8.4epss 0.01
KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD,…
- risk 0.55cvss 8.4epss 0.00
This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require…
- risk 0.55cvss 8.4epss 0.00
Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow unauthorized access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and…
- risk 0.54cvss 8.3epss 0.01
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
- risk 0.54cvss —epss 0.01
@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and…
- risk 0.54cvss —epss 0.02
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
- risk 0.54cvss 9.4epss 0.01
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing…
- risk 0.54cvss —epss 0.01
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0.
- risk 0.53cvss 8.1epss 0.00
FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF…
- risk 0.53cvss 8.2epss 0.00
Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the…
- risk 0.53cvss 8.1epss 0.01
A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.
- risk 0.53cvss —epss 0.02
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the…
- risk 0.53cvss 8.2epss 0.00
SPH Engineering UgCS 5.13.0 is vulnerable to Arbitary code execution.
- risk 0.53cvss 8.1epss 0.09
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
- risk 0.53cvss 9.2epss 0.00
YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt…
- risk 0.53cvss 8.1epss 0.01
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
- risk 0.53cvss 8.1epss 0.01
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even…
- risk 0.53cvss 8.1epss 0.15
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s…