CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88
CVEs mapped to this weakness (2,292)
page 4 of 115| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-8389 | Cri | 0.68 | 9.8 | 0.50 | Dec 28, 2017 | cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware… | ||
| CVE-2017-16934 | Cri | 0.68 | 9.8 | 0.13 | Nov 24, 2017 | The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a frame.html?content=/dev/mtdblock/5 request, and then using this password for the HTTP Basic Authentication needed for a change_password.csp… | ||
| CVE-2015-2279 | Cri | 0.68 | 9.8 | 0.18 | Jul 25, 2017 | cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or… | ||
| CVE-2017-7175 | Cri | 0.68 | 9.9 | 0.07 | Jul 10, 2017 | NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field). | ||
| CVE-2017-3506 | Hig | 0.68 | 7.4 | 0.96 | KEV | Apr 24, 2017 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with… | |
| CVE-2017-8051 | Cri | 0.68 | 9.8 | 0.16 | Apr 21, 2017 | Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands. | ||
| CVE-2017-6182 | Cri | 0.68 | 9.8 | 0.17 | Mar 30, 2017 | In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. | ||
| CVE-2026-42271 | Hig | 0.67 | 8.8 | 0.75 | KEV | May 8, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a… | |
| CVE-2026-28517 | Cri | 0.67 | 9.8 | 0.06 | Feb 27, 2026 | openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an… | ||
| CVE-2010-20059 | Cri | 0.67 | — | 0.01 | Aug 20, 2025 | FreeNAS 0.7.2 prior to revision 5543 includes an unauthenticated command‐execution backdoor in its web interface. The exec_raw.php script exposes a cmd parameter that is passed directly to the underlying shell without sanitation. | ||
| CVE-2013-10050 | Hig | 0.67 | 8.8 | 0.10 | Aug 1, 2025 | An OS command injection vulnerability exists in multiple D-Link routers (confirmed on DIR-300 rev A v1.05 and DIR-615 rev D v4.13) via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing… | ||
| CVE-2022-4978 | Cri | 0.67 | — | 0.02 | Jul 23, 2025 | Remote Control Server, maintained by Steppschuh, 3.1.1.12 allows unauthenticated remote code execution when authentication is disabled, which is the default configuration. The server exposes a custom UDP-based control protocol that accepts remote keyboard input events without… | ||
| CVE-2025-34099 | Cri | 0.67 | — | 0.01 | Jul 10, 2025 | An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic… | ||
| CVE-2018-11143 | Cri | 0.67 | 9.8 | 0.38 | Jun 2, 2018 | Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46). | ||
| CVE-2018-1000006 | — | Hig | 0.67 | 8.8 | 0.85 | Jan 24, 2018 | GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution… | |
| CVE-2017-16666 | Hig | 0.67 | 8.8 | 0.80 | Jan 5, 2018 | Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature. | ||
| CVE-2017-8220 | Cri | 0.67 | 9.9 | 0.36 | Apr 25, 2017 | TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data. | ||
| CVE-1999-0043 | Cri | 0.67 | 9.8 | 0.45 | Dec 4, 1996 | Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others. | ||
| CVE-2024-51092 | Cri | 0.66 | 9.1 | 0.07 | May 8, 2026 | LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory(). | ||
| CVE-2026-39808 | Cri | 0.66 | 9.8 | 0.49 | Apr 14, 2026 | A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via |
- risk 0.68cvss 9.8epss 0.50
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware…
- risk 0.68cvss 9.8epss 0.13
The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a frame.html?content=/dev/mtdblock/5 request, and then using this password for the HTTP Basic Authentication needed for a change_password.csp…
- risk 0.68cvss 9.8epss 0.18
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or…
- risk 0.68cvss 9.9epss 0.07
NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field).
- risk 0.68cvss 7.4epss 0.96
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with…
- risk 0.68cvss 9.8epss 0.16
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
- risk 0.68cvss 9.8epss 0.17
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
- risk 0.67cvss 8.8epss 0.75
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a…
- risk 0.67cvss 9.8epss 0.06
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an…
- risk 0.67cvss —epss 0.01
FreeNAS 0.7.2 prior to revision 5543 includes an unauthenticated command‐execution backdoor in its web interface. The exec_raw.php script exposes a cmd parameter that is passed directly to the underlying shell without sanitation.
- risk 0.67cvss 8.8epss 0.10
An OS command injection vulnerability exists in multiple D-Link routers (confirmed on DIR-300 rev A v1.05 and DIR-615 rev D v4.13) via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing…
- risk 0.67cvss —epss 0.02
Remote Control Server, maintained by Steppschuh, 3.1.1.12 allows unauthenticated remote code execution when authentication is disabled, which is the default configuration. The server exposes a custom UDP-based control protocol that accepts remote keyboard input events without…
- risk 0.67cvss —epss 0.01
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic…
- risk 0.67cvss 9.8epss 0.38
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46).
- risk 0.67cvss 8.8epss 0.85
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution…
- risk 0.67cvss 8.8epss 0.80
Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature.
- risk 0.67cvss 9.9epss 0.36
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data.
- risk 0.67cvss 9.8epss 0.45
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.
- risk 0.66cvss 9.1epss 0.07
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
- risk 0.66cvss 9.8epss 0.49
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via