VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 36 of 78
  • CVE-2022-2054HigJun 12, 2022
    risk 0.48cvss 8.4epss 0.01

    Code Injection in GitHub repository nuitka/nuitka prior to 0.9.

  • CVE-2021-23381HigApr 18, 2021
    risk 0.48cvss 7.3epss 0.01

    This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23379HigApr 18, 2021
    risk 0.48cvss 7.3epss 0.01

    This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23375HigApr 18, 2021
    risk 0.48cvss 7.3epss 0.01

    This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23374HigApr 18, 2021
    risk 0.48cvss 7.3epss 0.01

    This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2020-28426HigFeb 1, 2021
    risk 0.48cvss 7.3epss 0.02

    All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.

  • CVE-2011-4182HigJun 12, 2018
    risk 0.48cvss 7.3epss 0.02

    Missing escaping of ESSID values in sysconfig of SUSE Linux Enterprise allows attackers controlling an access point to cause execute arbitrary code. Affected releases are sysconfig prior to 0.83.7-2.1.

  • CVE-2017-12094HigNov 7, 2017
    risk 0.48cvss 7.4epss 0.01

    An exploitable vulnerability exists in the WiFi Channel parsing of Circle with Disney running firmware 2.0.1. A specially crafted SSID can cause the device to execute arbitrary sed commands. An attacker needs to setup an access point reachable by the device to trigger this…

  • CVE-2026-12197HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.02

    A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection.…

  • CVE-2026-10873HigJun 4, 2026
    risk 0.47cvss 7.2epss 0.03

    A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly…

  • CVE-2026-10872HigJun 4, 2026
    risk 0.47cvss 7.2epss 0.03

    A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public…

  • CVE-2026-10871HigJun 4, 2026
    risk 0.47cvss 7.2epss 0.02

    A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the…

  • CVE-2026-10870HigJun 4, 2026
    risk 0.47cvss 7.2epss 0.02

    A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.…

  • CVE-2026-49196HigMay 29, 2026
    risk 0.47cvss 7.2epss 0.00

    The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.

  • CVE-2026-5509HigMay 27, 2026
    risk 0.47cvss 7.2epss 0.02

    An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can…

  • CVE-2026-24712HigMay 14, 2026
    risk 0.47cvss 7.3epss 0.01

    Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.

  • CVE-2026-36741HigMay 13, 2026
    risk 0.47cvss 7.2epss 0.02

    U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject…

  • CVE-2026-44871HigMay 12, 2026
    risk 0.47cvss 7.2epss 0.01

    Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on…

  • CVE-2026-44872HigMay 12, 2026
    risk 0.47cvss 7.2epss 0.01

    A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.

  • CVE-2026-44870HigMay 12, 2026
    risk 0.47cvss 7.2epss 0.01

    Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on…