VYPR

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88

CVEs mapped to this weakness (2,292)

page 17 of 115
  • CVE-2025-0680CriJan 30, 2025
    risk 0.64cvss 9.8epss 0.01

    Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.

  • CVE-2025-20061CriJan 29, 2025
    risk 0.64cvss 9.8epss 0.01

    mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.

  • CVE-2025-20014CriJan 29, 2025
    risk 0.64cvss 9.8epss 0.01

    mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system.

  • CVE-2024-57595CriJan 27, 2025
    risk 0.64cvss 9.8epss 0.01

    DLINK DIR-825 REVB 2.03 devices have an OS command injection vulnerability in the CGl interface apc_client_pin.cgi, which allows remote attackers to execute arbitrary commands via the parameter "wps_pin" passed to the apc_client_pin.cgi binary through a POST request.

  • CVE-2025-20055CriJan 14, 2025
    risk 0.64cvss 9.8epss 0.01

    OS command injection vulnerability exists in network storage servers STEALTHONE D220/D340 provided by Y'S corporation. An attacker who can access the affected product may execute an arbitrary OS command.

  • CVE-2024-9140CriJan 3, 2025
    risk 0.64cvss 9.8epss 0.02

    Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code.…

  • CVE-2024-47919CriDec 30, 2024
    risk 0.64cvss 9.8epss 0.02

    Tiki Wiki CMS – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CVE-2024-52320CriDec 6, 2024
    risk 0.64cvss 9.8epss 0.02

    The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.

  • CVE-2020-8007CriNov 8, 2024
    risk 0.64cvss 9.8epss 0.02

    The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip.

  • CVE-2024-10035CriNov 4, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security…

  • CVE-2024-10118CriOct 18, 2024
    risk 0.64cvss 9.8epss 0.01

    SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.

  • CVE-2024-45252CriOct 6, 2024
    risk 0.64cvss 9.8epss 0.01

    Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CVE-2024-45251CriOct 6, 2024
    risk 0.64cvss 9.8epss 0.01

    Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CVE-2024-45798CriSep 17, 2024
    risk 0.64cvss 9.9epss 0.01

    arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow…

  • CVE-2024-42757CriAug 15, 2024
    risk 0.64cvss 9.8epss 0.01

    Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page.

  • CVE-2024-6917CriAug 12, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Veribilim Software Veribase Order Management allows OS Command Injection. This issue affects Veribase Order Management: before v4.010.2.

  • CVE-2024-6048CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    Openfind's MailGates and MailAudit fail to properly filter user input when analyzing email attachments. An unauthenticated remote attacker can exploit this vulnerability to inject system commands and execute them on the remote server.

  • CVE-2024-36360CriJun 11, 2024
    risk 0.64cvss 9.8epss 0.02

    OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the…

  • CVE-2024-32850CriMay 31, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper neutralization of special elements used in a command ('Command Injection') exists in SkyBridge MB-A100/MB-A110 firmware Ver. 4.2.2 and earlier and SkyBridge BASIC MB-A130 firmware Ver. 1.5.5 and earlier. If the remote monitoring and control function is enabled on the…

  • CVE-2024-31705CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.02

    An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.