VYPR

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88

CVEs mapped to this weakness (2,292)

page 11 of 115
  • CVE-2026-7154CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack…

  • CVE-2026-7153CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command…

  • CVE-2026-7152CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible…

  • CVE-2026-7140CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument HTTP leads to os command injection. The attack may be performed from…

  • CVE-2026-7139CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mode causes os command injection. The attack is possible to be carried…

  • CVE-2026-7138CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tz results in os command injection. The attack can be executed…

  • CVE-2026-7137CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote…

  • CVE-2026-7136CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wanIdx can lead to os command injection. The attack…

  • CVE-2026-7125CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge leads to os command injection. The attack may be…

  • CVE-2026-7124CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument addrPrefixLen can lead to os command…

  • CVE-2026-7123CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument setIptvCfg results in os command injection. The attack can be initiated…

  • CVE-2026-7122CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack…

  • CVE-2026-7121CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.02

    A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument wizard causes os command injection. It is possible to initiate the attack…

  • CVE-2026-7037CriApr 26, 2026
    risk 0.64cvss 9.8epss 0.02

    A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru results in os command injection. The attack can…

  • CVE-2026-41247CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.02

    elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image…

  • CVE-2026-31181CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.

  • CVE-2026-31178CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.

  • CVE-2026-31177CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.

  • CVE-2026-40933CriApr 21, 2026
    risk 0.64cvss 9.9epss 0.02

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command…

  • CVE-2026-6349CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.02

    The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.