CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 58 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2163 | Med | 0.31 | 4.7 | 0.05 | Feb 8, 2026 | A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The… | ||
| CVE-2026-2082 | Med | 0.31 | 4.7 | 0.04 | Feb 7, 2026 | A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly… | ||
| CVE-2026-2081 | Med | 0.31 | 4.7 | 0.05 | Feb 7, 2026 | A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has… | ||
| CVE-2026-2063 | Med | 0.31 | 4.7 | 0.04 | Feb 6, 2026 | A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be… | ||
| CVE-2026-2061 | Med | 0.31 | 4.7 | 0.04 | Feb 6, 2026 | A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly… | ||
| CVE-2026-2000 | Med | 0.31 | 4.7 | 0.14 | Feb 6, 2026 | A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack… | ||
| CVE-2026-1690 | Med | 0.31 | 4.7 | 0.04 | Jan 30, 2026 | A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and… | ||
| CVE-2026-1419 | Med | 0.31 | 4.7 | 0.15 | Jan 26, 2026 | A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched… | ||
| CVE-2025-15367 | Med | 0.31 | — | 0.00 | Jan 20, 2026 | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | ||
| CVE-2025-15366 | Med | 0.31 | — | 0.00 | Jan 20, 2026 | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | ||
| CVE-2026-1064 | Med | 0.31 | 4.7 | 0.04 | Jan 17, 2026 | A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection.… | ||
| CVE-2026-1063 | Med | 0.31 | 4.7 | 0.04 | Jan 17, 2026 | A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection.… | ||
| CVE-2025-14648 | Med | 0.31 | 4.7 | 0.07 | Dec 14, 2025 | A security vulnerability has been detected in DedeBIZ up to 6.5.9. Affected by this vulnerability is an unknown functionality of the file /src/admin/catalog_add.php. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been… | ||
| CVE-2025-14094 | Med | 0.31 | 4.7 | 0.18 | Dec 5, 2025 | A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may… | ||
| CVE-2025-14093 | Med | 0.31 | 4.7 | 0.17 | Dec 5, 2025 | A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public… | ||
| CVE-2025-14092 | Med | 0.31 | 4.7 | 0.15 | Dec 5, 2025 | A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit… | ||
| CVE-2025-12296 | Med | 0.31 | 4.7 | 0.07 | Oct 27, 2025 | A security vulnerability has been detected in D-Link DAP-2695 2.00RC13. The impacted element is the function sub_4174B0 of the component Firmware Update Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed… | ||
| CVE-2025-11335 | Med | 0.31 | 4.7 | 0.05 | Oct 6, 2025 | A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to… | ||
| CVE-2025-11331 | Med | 0.31 | 4.7 | 0.18 | Oct 6, 2025 | A vulnerability was found in IdeaCMS up to 1.8. The impacted element is an unknown function of the file app/common/logic/admin/Config.php of the component Website Name Handler. Performing manipulation of the argument 网站名称 results in command injection. The attack may be… | ||
| CVE-2025-11141 | Med | 0.31 | 4.7 | 0.04 | Sep 29, 2025 | A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be… |
- risk 0.31cvss 4.7epss 0.05
A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The…
- risk 0.31cvss 4.7epss 0.04
A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly…
- risk 0.31cvss 4.7epss 0.05
A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has…
- risk 0.31cvss 4.7epss 0.04
A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be…
- risk 0.31cvss 4.7epss 0.04
A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly…
- risk 0.31cvss 4.7epss 0.14
A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack…
- risk 0.31cvss 4.7epss 0.04
A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and…
- risk 0.31cvss 4.7epss 0.15
A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched…
- risk 0.31cvss —epss 0.00
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
- risk 0.31cvss —epss 0.00
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
- risk 0.31cvss 4.7epss 0.04
A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection.…
- risk 0.31cvss 4.7epss 0.04
A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection.…
- risk 0.31cvss 4.7epss 0.07
A security vulnerability has been detected in DedeBIZ up to 6.5.9. Affected by this vulnerability is an unknown functionality of the file /src/admin/catalog_add.php. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been…
- risk 0.31cvss 4.7epss 0.18
A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may…
- risk 0.31cvss 4.7epss 0.17
A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public…
- risk 0.31cvss 4.7epss 0.15
A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit…
- risk 0.31cvss 4.7epss 0.07
A security vulnerability has been detected in D-Link DAP-2695 2.00RC13. The impacted element is the function sub_4174B0 of the component Firmware Update Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed…
- risk 0.31cvss 4.7epss 0.05
A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to…
- risk 0.31cvss 4.7epss 0.18
A vulnerability was found in IdeaCMS up to 1.8. The impacted element is an unknown function of the file app/common/logic/admin/Config.php of the component Website Name Handler. Performing manipulation of the argument 网站名称 results in command injection. The attack may be…
- risk 0.31cvss 4.7epss 0.04
A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be…