VYPR

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88

CVEs mapped to this weakness (2,292)

page 14 of 115
  • CVE-2026-30303CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.01

    The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze…

  • CVE-2026-4622CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.01

    OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.

  • CVE-2026-4620CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.01

    OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.

  • CVE-2026-27650CriMar 27, 2026
    risk 0.64cvss 9.8epss 0.01

    OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is exploited, an arbitrary OS command may be executed on the products.

  • CVE-2026-26213CriMar 26, 2026
    risk 0.64cvss 9.8epss 0.06

    thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through…

  • CVE-2026-26832CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.02

    node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed…

  • CVE-2026-26830CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.02

    pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are…

  • CVE-2026-4585CriMar 23, 2026
    risk 0.64cvss 9.8epss 0.03

    A vulnerability has been found in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/ImportSystemConfiguration.jsp of the component Configuration Handler. The manipulation of the argument File…

  • CVE-2026-32191CriMar 19, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.

  • CVE-2026-4170CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A weakness has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os…

  • CVE-2026-27849CriFeb 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

  • CVE-2026-27848CriFeb 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

  • CVE-2026-27476CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.03

    RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary…

  • CVE-2026-2686CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.02

    A security vulnerability has been detected in SECCN Dingcheng G10 3.1.0.181203. This impacts the function qq of the file /cgi-bin/session_login.cgi. The manipulation of the argument User leads to os command injection. The attack is possible to be carried out remotely. The…

  • CVE-2020-37027CriJan 30, 2026
    risk 0.64cvss 9.8epss 0.02

    Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote…

  • CVE-2020-37012CriJan 29, 2026
    risk 0.64cvss 9.8epss 0.01

    Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the…

  • CVE-2020-37002CriJan 29, 2026
    risk 0.64cvss 9.8epss 0.01

    Ajenti 2.1.36 contains a post-authenticated remote command execution vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a…

  • CVE-2026-0759CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.02

    Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required…

  • CVE-2026-0756CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.02

    github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. …

  • CVE-2026-0755CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.03

    gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw…