VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 39 of 78
  • CVE-2025-50891HigAug 19, 2025
    risk 0.47cvss 7.2epss 0.00

    The server-side backend for Adform Site Tracking before 2025-08-28 allows attackers to inject HTML or execute arbitrary code via cookie hijacking. NOTE: a customer does not need to take any action to update locally installed software (such as Adform Site Tracking 1.1).

  • CVE-2025-37102HigJul 8, 2025
    risk 0.47cvss 7.2epss 0.01

    An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. A successful exploitation could allow a remote attacker with elevated privileges to execute arbitrary commands on the underlying operating system…

  • CVE-2025-43948HigApr 22, 2025
    risk 0.47cvss 7.3epss 0.00

    Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier (such as for sorting), which will get executed on the server side.

  • CVE-2024-36842HigApr 15, 2025
    risk 0.47cvss 7.3epss 0.01

    An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker to execute arbitrary code via the ADB port component.

  • CVE-2025-1536HigFeb 21, 2025
    risk 0.47cvss 7.3epss 0.03

    A vulnerability was found in Raisecom Multi-Service Intelligent Gateway up to 20250208. It has been declared as critical. This vulnerability affects unknown code of the file /vpn/vpn_template_style.php of the component Request Parameter Handler. The manipulation of the argument…

  • CVE-2025-22962HigFeb 13, 2025
    risk 0.47cvss 7.2epss 0.01

    A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json…

  • CVE-2025-23052HigJan 14, 2025
    risk 0.47cvss 7.2epss 0.01

    Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system.

  • CVE-2024-54007HigJan 7, 2025
    risk 0.47cvss 7.2epss 0.02

    Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands…

  • CVE-2024-54006HigJan 7, 2025
    risk 0.47cvss 7.2epss 0.02

    Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands…

  • CVE-2024-13062HigJan 2, 2025
    risk 0.47cvss 7.2epss 0.01

    An unintended entry point vulnerability has been identified in certain router models, which may allow for arbitrary command execution. Refer to the ' 01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information.

  • CVE-2024-12912HigJan 2, 2025
    risk 0.47cvss 7.2epss 0.01

    An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information.

  • CVE-2024-11013HigNov 29, 2024
    risk 0.47cvss 7.2epss 0.01

    Command Injection vulnerability in NEC Corporation UNIVERGE IX from Ver9.2 to Ver10.10.21, for Ver10.8 up to Ver10.8.27, for Ver10.9 up to Ver10.9.14 and UNIVERGE IX-R/IX-V Ver1.2.15 and earlier allows a attacker to inject an arbitrary CLI commands to be executed on the device…

  • CVE-2021-27702HigNov 12, 2024
    risk 0.47cvss 7.3epss 0.00

    Sercomm Router Etisalat Model S3- AC2100 is affected by Incorrect Access Control via the diagnostic utility in the router dashboard.

  • CVE-2024-47461HigNov 5, 2024
    risk 0.47cvss 7.2epss 0.02

    An authenticated command injection vulnerability exists in the Instant AOS-8 and AOS-10 command line interface. A successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This…

  • CVE-2024-6333HigOct 17, 2024
    risk 0.47cvss 7.2epss 0.01

    Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products.

  • CVE-2024-41637HigJul 29, 2024
    risk 0.47cvss 8.3epss 0.01

    RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password.

  • CVE-2024-41135HigJul 24, 2024
    risk 0.47cvss 7.2epss 0.01

    A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateway's Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute…

  • CVE-2024-41134HigJul 24, 2024
    risk 0.47cvss 7.2epss 0.01

    A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateway's Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute…

  • CVE-2024-41133HigJul 24, 2024
    risk 0.47cvss 7.2epss 0.01

    A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateway's Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute…

  • CVE-2024-36073HigJun 27, 2024
    risk 0.47cvss 7.2epss 0.01

    Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the shadowing component of the Endpoint Protector and Unify agent which allows an attacker with administrative access to the Endpoint Protector or…