VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 8 of 78
  • CVE-2026-31059CriApr 6, 2026
    risk 0.64cvss 9.8epss 0.01

    A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string.

  • CVE-2024-43028CriApr 1, 2026
    risk 0.64cvss 9.8epss 0.02

    A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.

  • CVE-2026-30310CriMar 31, 2026
    risk 0.64cvss 9.8epss 0.01

    In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a…

  • CVE-2026-4585CriMar 23, 2026
    risk 0.64cvss 9.8epss 0.03

    A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File…

  • CVE-2025-15607CriMar 20, 2026
    risk 0.64cvss 9.8epss 0.02

    A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and…

  • CVE-2026-32194CriMar 19, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.

  • CVE-2026-4170CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os…

  • CVE-2026-4164CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack…

  • CVE-2026-4163CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack…

  • CVE-2026-2686CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.02

    A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The…

  • CVE-2025-58428CriOct 23, 2025
    risk 0.64cvss 9.9epss 0.01

    The TLS4B ATG system's SOAP-based interface is vulnerable due to its accessibility through the web services handler. This vulnerability enables remote attackers with valid credentials to execute system-level commands on the underlying Linux system. This could allow the attacker…

  • CVE-2025-11148CriSep 30, 2025
    risk 0.64cvss 9.8epss 0.01

    All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1.…

  • CVE-2025-57633CriSep 9, 2025
    risk 0.64cvss 9.8epss 0.01

    A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftp_file parameter and executes it using os.system()…

  • CVE-2025-24285CriAug 21, 2025
    risk 0.64cvss 9.8epss 0.01

    Multiple Improper Input Validation vulnerabilities in UniFi Connect EV Station Lite may allow a Command Injection by a malicious actor with network access to the UniFi Connect EV Station Lite. Affected Products: UniFi Connect EV Station Lite (Version 1.5.1 and earlier) …

  • CVE-2025-27212CriAug 4, 2025
    risk 0.64cvss 9.8epss 0.01

    An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro…

  • CVE-2025-52688CriJul 16, 2025
    risk 0.64cvss 9.8epss 0.23

    Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.

  • CVE-2024-12442CriMay 9, 2025
    risk 0.64cvss 9.8epss 0.01

    EnerSys AMPA versions 24.04 through 24.16, inclusive, are vulnerable to command injection leading to privileged remote shell access.

  • CVE-2024-11861CriMay 9, 2025
    risk 0.64cvss 9.8epss 0.01

    EnerSys AMPA 22.09 and prior versions are vulnerable to command injection leading to privileged remote shell access.

  • CVE-2025-22630CriFeb 14, 2025
    risk 0.64cvss 9.9epss 0.01

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0.

  • CVE-2024-55414CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    A vulnerability exits in driver SmSerl64.sys in Motorola SM56 Modem WDM Driver v6.12.23.0, which allows low-privileged users to mapping physical memory via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges,…