VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 26 of 78
  • CVE-2026-35580CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.01

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with…

  • CVE-2025-24818HigApr 7, 2026
    risk 0.52cvss 8.0epss 0.01

    Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application.

  • CVE-2025-54416CriJul 26, 2025
    risk 0.52cvss 9.1epss 0.01

    tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which…

  • CVE-2025-53104CriJul 1, 2025
    risk 0.52cvss 9.1epss 0.01

    gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body,…

  • CVE-2025-52904HigJun 26, 2025
    risk 0.52cvss 8.0epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within…

  • CVE-2025-3545HigApr 14, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/setLanguage of the component HTTP POST…

  • CVE-2025-3544HigApr 14, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getCapabilityWeb of the component HTTP…

  • CVE-2025-3543HigApr 14, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014 and classified as critical. This vulnerability affects the function FCGI_WizardProtoProcess of the file /api/wizard/setsyncpppoecfg of the component HTTP POST Request…

  • CVE-2025-3542HigApr 14, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability, which was classified as critical, was found in H3C Magic NX15, Magic NX400 and Magic R3010 up to V100R014. This affects the function FCGI_WizardProtoProcess of the file /api/wizard/getsyncpppoecfg of the component HTTP POST Request Handler. The manipulation…

  • CVE-2025-3541HigApr 13, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this issue is the function FCGI_WizardProtoProcess of the file /api/wizard/getSpecs of the component HTTP POST Request…

  • CVE-2025-3540HigApr 13, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this vulnerability is the function FCGI_WizardProtoProcess of the file /api/wizard/getCapability of the component HTTP POST Request…

  • CVE-2025-3539HigApr 13, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability classified as critical has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getBasicInfo of the component HTTP POST…

  • CVE-2025-2732HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/wizard/getWifiNeighbour of the component HTTP POST Request…

  • CVE-2025-2731HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of the component HTTP POST…

  • CVE-2025-2730HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is an unknown function of the file /api/wizard/getssidname of the component HTTP POST Request Handler. The…

  • CVE-2025-2729HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects some unknown processing of the file /api/wizard/networkSetup of the component HTTP POST Request Handler. The…

  • CVE-2025-2728HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical. This vulnerability affects unknown code of the file /api/wizard/getNetworkConf. The manipulation leads to command injection. The attack needs to be approached within…

  • CVE-2025-2727HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007. This affects an unknown part of the file /api/wizard/getNetworkStatus of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local…

  • CVE-2025-2726HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.01

    A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this issue is some unknown functionality of the file /api/esps of the component HTTP POST Request Handler.…

  • CVE-2025-2725HigMar 25, 2025
    risk 0.52cvss 8.0epss 0.09

    A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this vulnerability is an unknown functionality of the file /api/login/auth of the component HTTP POST Request Handler. The…