VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 58 of 78
  • CVE-2026-2163MedFeb 8, 2026
    risk 0.31cvss 4.7epss 0.05

    A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The…

  • CVE-2026-2082MedFeb 7, 2026
    risk 0.31cvss 4.7epss 0.04

    A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly…

  • CVE-2026-2081MedFeb 7, 2026
    risk 0.31cvss 4.7epss 0.05

    A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has…

  • CVE-2026-2063MedFeb 6, 2026
    risk 0.31cvss 4.7epss 0.04

    A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be…

  • CVE-2026-2061MedFeb 6, 2026
    risk 0.31cvss 4.7epss 0.04

    A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly…

  • CVE-2026-2000MedFeb 6, 2026
    risk 0.31cvss 4.7epss 0.14

    A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack…

  • CVE-2026-1690MedJan 30, 2026
    risk 0.31cvss 4.7epss 0.04

    A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and…

  • CVE-2026-1419MedJan 26, 2026
    risk 0.31cvss 4.7epss 0.15

    A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched…

  • CVE-2025-15367MedJan 20, 2026
    risk 0.31cvss epss 0.00

    The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

  • CVE-2025-15366MedJan 20, 2026
    risk 0.31cvss epss 0.00

    The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

  • CVE-2026-1064MedJan 17, 2026
    risk 0.31cvss 4.7epss 0.04

    A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection.…

  • CVE-2026-1063MedJan 17, 2026
    risk 0.31cvss 4.7epss 0.04

    A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection.…

  • CVE-2025-14648MedDec 14, 2025
    risk 0.31cvss 4.7epss 0.07

    A security vulnerability has been detected in DedeBIZ up to 6.5.9. Affected by this vulnerability is an unknown functionality of the file /src/admin/catalog_add.php. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been…

  • CVE-2025-14094MedDec 5, 2025
    risk 0.31cvss 4.7epss 0.18

    A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may…

  • CVE-2025-14093MedDec 5, 2025
    risk 0.31cvss 4.7epss 0.17

    A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public…

  • CVE-2025-14092MedDec 5, 2025
    risk 0.31cvss 4.7epss 0.15

    A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit…

  • CVE-2025-12296MedOct 27, 2025
    risk 0.31cvss 4.7epss 0.07

    A security vulnerability has been detected in D-Link DAP-2695 2.00RC13. The impacted element is the function sub_4174B0 of the component Firmware Update Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed…

  • CVE-2025-11335MedOct 6, 2025
    risk 0.31cvss 4.7epss 0.05

    A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to…

  • CVE-2025-11331MedOct 6, 2025
    risk 0.31cvss 4.7epss 0.18

    A vulnerability was found in IdeaCMS up to 1.8. The impacted element is an unknown function of the file app/common/logic/admin/Config.php of the component Website Name Handler. Performing manipulation of the argument 网站名称 results in command injection. The attack may be…

  • CVE-2025-11141MedSep 29, 2025
    risk 0.31cvss 4.7epss 0.04

    A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be…