VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 43 of 78
  • CVE-2024-53615MedJan 30, 2025
    risk 0.44cvss 6.5epss 0.01

    A command injection vulnerability in the video thumbnail rendering component of Karl Ward's files.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file.

  • CVE-2025-0396HigJan 12, 2025
    risk 0.44cvss 7.8epss 0.01

    A vulnerability, which was classified as critical, has been found in exelban stats up to 2.11.21. This issue affects the function shouldAcceptNewConnection of the component XPC Service. The manipulation leads to command injection. It is possible to launch the attack on the local…

  • CVE-2024-48747MedNov 21, 2024
    risk 0.44cvss 6.8epss 0.01

    An issue in alist-tvbox v1.7.1 allows a remote attacker to execute arbitrary code via the /atv-cli file.

  • CVE-2024-38817MedOct 9, 2024
    risk 0.44cvss 6.7epss 0.01

    VMware NSX contains a command injection vulnerability.  A malicious actor with access to the NSX Edge CLI terminal may be able to craft malicious payloads to execute arbitrary commands on the operating system as root.

  • CVE-2022-42906HigOct 13, 2022
    risk 0.44cvss 7.8epss 0.00

    powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory…

  • CVE-2018-0481MedOct 5, 2018
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes…

  • CVE-2018-0477MedOct 5, 2018
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes…

  • CVE-2018-0324MedMay 17, 2018
    risk 0.44cvss 6.7epss 0.01

    A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, high-privileged, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command parameters in the CLI…

  • CVE-2018-0224MedMar 8, 2018
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands with root privileges on an affected operating system. The vulnerability is due to…

  • CVE-2018-0217MedMar 8, 2018
    risk 0.44cvss 6.7epss 0.01

    A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to perform a command injection attack on an affected system. The vulnerability is due to insufficient validation of…

  • CVE-2017-12352MedNov 30, 2017
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in certain system script files that are installed at boot time on Cisco Application Policy Infrastructure Controllers could allow an authenticated, local attacker to gain elevated privileges and execute arbitrary commands with root privileges on an affected host…

  • CVE-2017-12341MedNov 30, 2017
    risk 0.44cvss 6.7epss 0.01

    A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. An attacker would need valid administrator credentials to perform this exploit. The vulnerability is due to insufficient input validation…

  • CVE-2017-12305MedNov 16, 2017
    risk 0.44cvss 6.7epss 0.01

    A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this…

  • CVE-2017-6794MedSep 7, 2017
    risk 0.44cvss 6.7epss 0.01

    A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials.…

  • CVE-2014-9114HigMar 31, 2017
    risk 0.44cvss 7.8epss 0.01

    Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.

  • CVE-2016-9337MedFeb 13, 2017
    risk 0.44cvss 6.8epss 0.02

    An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle's Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the…

  • CVE-2016-6649MedFeb 3, 2017
    risk 0.44cvss 6.7epss 0.01

    EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0 are affected by multiple command injection vulnerabilities where a malicious administrator with configuration privileges may bypass the user interface and escalate his…

  • CVE-2015-5349HigApr 11, 2016
    risk 0.44cvss 7.8epss 0.02

    The CSV export in Apache LDAP Studio and Apache Directory Studio before 2.0.0-M10 does not properly escape field values, which might allow attackers to execute arbitrary commands by leveraging a crafted LDAP entry that is interpreted as a formula when imported into a spreadsheet.

  • CVE-2025-47188MedAug 7, 2025
    risk 0.43cvss 6.5epss 0.48

    A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to…

  • CVE-2024-22197HigJan 11, 2024
    risk 0.43cvss 7.7epss 0.02

    Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API…