VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 27 of 78
  • CVE-2024-12111HigDec 19, 2024
    risk 0.52cvss 8.0epss 0.00

    In a specific scenario a LDAP user can abuse the authentication process using injection attack in OpenText Privileged Access Manager that allows authentication bypass. This issue affects Privileged Access Manager version 23.3(4.4); 24.3(4.5)

  • CVE-2024-29404HigDec 3, 2024
    risk 0.52cvss 7.8epss 0.00

    An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in the Profiles component.

  • CVE-2024-28726HigNov 12, 2024
    risk 0.52cvss 8.0epss 0.08

    An issue in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to execute arbitrary code via a crafted payload to the Diagnostics function.

  • CVE-2015-7982criSep 1, 2020
    risk 0.52cvss epss 0.01

    Versions of `gm` prior to 1.21.1 are affected by a command injection vulnerability. The vulnerability is triggered when user input is passed into `gm.compare()`, which fails to sanitize input correctly before calling the graphics magic binary. ## Recommendation Update to…

  • CVE-2017-8193HigNov 22, 2017
    risk 0.52cvss 8.0epss 0.01

    The FusionSphere OpenStack V100R006C00SPC102(NFV) has a command injection vulnerability. Due to the insufficient input validation on one port, an authenticated, local attacker may exploit the vulnerability to gain root privileges by sending message with malicious commands.

  • CVE-2016-9554HigJan 28, 2017
    risk 0.52cvss 7.2epss 0.24

    The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the…

  • CVE-2016-4822HigJun 25, 2016
    risk 0.52cvss 8.0epss 0.01

    Corega CG-WLBARGL devices allow remote authenticated users to execute arbitrary commands via unspecified vectors.

  • CVE-1999-0039HigMay 6, 1997
    risk 0.52cvss 7.3epss 0.16

    webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers to execute arbitrary commands via shell metacharacters in the distloc parameter.

  • CVE-2025-56814HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.

  • CVE-2025-69600HigMay 27, 2026
    risk 0.51cvss 7.8epss 0.01

    Command injection in Raynet rvia RayVentory Scan Engine 12.6 Update 8 and previous versions allows adversaries to execute commands via getconfig, upload, inventory, and oracle options.

  • CVE-2026-38945HigMay 27, 2026
    risk 0.51cvss 7.8epss 0.01

    Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.

  • CVE-2026-8632HigMay 20, 2026
    risk 0.51cvss 7.8epss 0.01

    A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection.

  • CVE-2026-46508HigMay 15, 2026
    risk 0.51cvss 7.8epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo…

  • CVE-2026-41611HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

  • CVE-2026-7039HigApr 26, 2026
    risk 0.51cvss 7.8epss 0.01

    A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit…

  • CVE-2026-32183HigApr 14, 2026
    risk 0.51cvss 7.8epss 0.01

    Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally.

  • CVE-2026-35558HigApr 3, 2026
    risk 0.51cvss 7.8epss 0.00

    Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by…

  • CVE-2026-23862HigMar 16, 2026
    risk 0.51cvss 7.8epss 0.00

    Dell ThinOS 10 versions prior to ThinOS 2602_10.0573, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of…

  • CVE-2025-52365HigMar 3, 2026
    risk 0.51cvss 7.8epss 0.01

    A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system(). The vulnerability arises from improper input handling where command-line…

  • CVE-2025-54564HigAug 1, 2025
    risk 0.51cvss 7.8epss 0.00

    uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user.