CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 62 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-1905 | 0.04 | — | 0.10 | Dec 29, 2014 | Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a… | |||
| CVE-2014-9144 | 0.04 | — | 0.09 | Dec 5, 2014 | Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter). | |||
| CVE-2010-2008 | 0.04 | — | 0.09 | Jul 13, 2010 | MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence,… | |||
| CVE-2025-54782 | 0.03 | — | 0.46 | Aug 1, 2025 | Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP… | |||
| CVE-2022-25765 | — | 0.03 | — | 0.39 | Sep 9, 2022 | The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. | ||
| CVE-2022-25766 | — | 0.03 | — | 0.34 | Mar 21, 2022 | The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible… | ||
| CVE-2013-7285 | — | 0.03 | — | 0.84 | May 15, 2019 | Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. | ||
| CVE-2014-7208 | 0.03 | — | 0.01 | Dec 19, 2014 | GParted before 0.15.0 allows local users to execute arbitrary commands with root privileges via shell metacharacters in a crafted filesystem label. | |||
| CVE-2014-1216 | 0.03 | — | 0.04 | Apr 22, 2014 | FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page. | |||
| CVE-2018-1000802 | Cri | 0.02 | 9.8 | 0.21 | Sep 18, 2018 | Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via… | ||
| CVE-2024-52308 | 0.01 | — | 0.01 | Nov 14, 2024 | The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an… | |||
| CVE-2024-9264 | 0.01 | — | 0.98 | Oct 18, 2024 | The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user… | |||
| CVE-2024-3116 | 0.01 | — | 0.65 | Apr 4, 2024 | pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and… | |||
| CVE-2023-27848 | — | 0.01 | — | 0.02 | Apr 24, 2023 | broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | ||
| CVE-2022-28220 | — | 0.01 | — | 0.02 | Sep 8, 2022 | Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent… | ||
| CVE-2021-36024 | 0.01 | — | 0.03 | Sep 1, 2021 | Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file… | |||
| CVE-2021-38556 | — | 0.01 | — | 0.13 | Aug 24, 2021 | includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | ||
| CVE-2021-26275 | — | 0.01 | — | 0.03 | Mar 18, 2021 | The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally… | ||
| CVE-2021-3148 | — | 0.01 | — | 0.08 | Feb 27, 2021 | An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. | ||
| CVE-2020-28426 | — | 0.01 | — | 0.02 | Feb 1, 2021 | All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId. |
- CVE-2014-1905Dec 29, 2014risk 0.04cvss —epss 0.10
Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a…
- CVE-2014-9144Dec 5, 2014risk 0.04cvss —epss 0.09
Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter).
- CVE-2010-2008Jul 13, 2010risk 0.04cvss —epss 0.09
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence,…
- CVE-2025-54782Aug 1, 2025risk 0.03cvss —epss 0.46
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP…
- CVE-2022-25765Sep 9, 2022risk 0.03cvss —epss 0.39
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
- CVE-2022-25766Mar 21, 2022risk 0.03cvss —epss 0.34
The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible…
- CVE-2013-7285May 15, 2019risk 0.03cvss —epss 0.84
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
- CVE-2014-7208Dec 19, 2014risk 0.03cvss —epss 0.01
GParted before 0.15.0 allows local users to execute arbitrary commands with root privileges via shell metacharacters in a crafted filesystem label.
- CVE-2014-1216Apr 22, 2014risk 0.03cvss —epss 0.04
FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page.
- risk 0.02cvss 9.8epss 0.21
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via…
- CVE-2024-52308Nov 14, 2024risk 0.01cvss —epss 0.01
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an…
- CVE-2024-9264Oct 18, 2024risk 0.01cvss —epss 0.98
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user…
- CVE-2024-3116Apr 4, 2024risk 0.01cvss —epss 0.65
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and…
- CVE-2023-27848Apr 24, 2023risk 0.01cvss —epss 0.02
broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
- CVE-2022-28220Sep 8, 2022risk 0.01cvss —epss 0.02
Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent…
- CVE-2021-36024Sep 1, 2021risk 0.01cvss —epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file…
- CVE-2021-38556Aug 24, 2021risk 0.01cvss —epss 0.13
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
- CVE-2021-26275Mar 18, 2021risk 0.01cvss —epss 0.03
The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally…
- CVE-2021-3148Feb 27, 2021risk 0.01cvss —epss 0.08
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
- CVE-2020-28426Feb 1, 2021risk 0.01cvss —epss 0.02
All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.