VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 47 of 78
  • CVE-2020-28422MedJul 25, 2022
    risk 0.42cvss 6.4epss 0.00

    All versions of package git-archive are vulnerable to Command Injection via the exports function.

  • CVE-2021-23727HigDec 29, 2021
    risk 0.42cvss 7.5epss 0.04

    This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata…

  • CVE-2021-23360HigMar 21, 2021
    risk 0.42cvss 7.5epss 0.02

    This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command…

  • CVE-2021-23337HigFeb 15, 2021
    risk 0.42cvss 7.2epss 0.22

    Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

  • CVE-2019-6986HigJan 28, 2019
    risk 0.42cvss 7.5epss 0.03

    SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.

  • CVE-2016-7076MedMay 29, 2018
    risk 0.42cvss 6.4epss 0.00

    sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly…

  • CVE-2026-12219MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.01

    A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be…

  • CVE-2026-11449MedJun 7, 2026
    risk 0.41cvss 6.3epss 0.01

    A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote.…

  • CVE-2026-11447MedJun 7, 2026
    risk 0.41cvss 6.3epss 0.01

    A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The…

  • CVE-2026-11406MedJun 6, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit…

  • CVE-2026-11341MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.01

    A flaw has been found in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_412DA0 of the file /boafrm/formIMEISetup. This manipulation of the argument IMEI_value causes os command injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2026-11339MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.03

    A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is…

  • CVE-2026-10878MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.04

    A vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. Affected is the function sub_41C8E8 of the file /boafrm/formSmsManage. Performing a manipulation of the argument action_value results in command injection. The attack is possible to be carried out remotely. The…

  • CVE-2026-10279MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was identified in hiraishikentaro wezterm-mcp 0.1.0. The affected element is an unknown function of the file src/wezterm_executor.ts of the component switch_pane/write_to_specific_pane. The manipulation of the argument request.params.arguments.pane_id leads to os…

  • CVE-2026-10273HigJun 1, 2026
    risk 0.41cvss 7.3epss 0.01

    A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated…

  • CVE-2026-10214HigJun 1, 2026
    risk 0.41cvss 7.3epss 0.01

    A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched…

  • CVE-2026-10182MedMay 31, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formWlanSetup of the file /goform/formWlanSetup. Executing a manipulation of the argument enrollee can lead to command injection. The attack can be launched remotely. The exploit…

  • CVE-2026-10180MedMay 31, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSysCmd of the file /goform/formSysCmd. Such manipulation of the argument sysCmd leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to…

  • CVE-2026-10166MedMay 31, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be…

  • CVE-2026-10127MedMay 30, 2026
    risk 0.41cvss 6.3epss 0.01

    A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated…