CWE-77— Command Injection
3,740 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 10 of 75
- CVE-2020-28436HIGHCVSS 7.3EG 9.82022-07-25
This affects all versions of package google-cloudstorage-commands.
- CVE-2020-28437CRITICALCVSS 9.4EG 9.82022-08-02
This affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js.
- CVE-2020-28438CRITICALCVSS 9.8EG 9.82022-07-25
This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js
- CVE-2020-28443CRITICALCVSS 9.8EG 9.82022-07-25
This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.
- CVE-2020-28445CRITICALCVSS 9.8EG 9.82022-07-25
This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function.
- CVE-2020-28446CRITICALCVSS 9.8EG 9.82022-07-25
The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js.
- CVE-2020-28447CRITICALCVSS 9.8EG 9.82022-07-25
This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)
- CVE-2020-28451CRITICALCVSS 9.8EG 9.82022-08-02
This affects the package image-tiler before 2.0.2.
- CVE-2020-28453CRITICALCVSS 9.4EG 9.82022-08-02
This affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js.
- CVE-2020-28901CRITICALCVSS 9.8EG 9.82021-05-24
Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php.
- CVE-2020-28902CRITICALCVSS 9.8EG 9.82021-05-24
Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php.
- CVE-2020-28908CRITICALCVSS 9.8EG 9.82021-05-24
Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to nagios.
- CVE-2020-29056CRITICALCVSS 9.8EG 9.82020-11-24
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD…
- CVE-2020-29299HIGHCVSS 7.2EG 7.22020-12-27
Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD…
- CVE-2020-29311CRITICALCVSS 9.8EG 9.82020-12-10
Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.
- CVE-2020-29381CRITICALCVSS 9.8EG 9.82020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configu…
- CVE-2020-29547MEDIUMCVSS 5.9EG 5.92023-05-29
An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can l…
- CVE-2020-29548HIGHCVSS 8.1EG 8.12021-08-17
An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session.
- CVE-2020-29664HIGHCVSS 7.8EG 7.82021-02-18
A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet.
- CVE-2020-3176MEDIUMCVSS 6.7EG 6.72020-03-04
A vulnerability in Cisco Remote PHY Device Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exists because the affected so…
- CVE-2020-3207MEDIUMCVSS 6.7EG 6.72020-06-03
A vulnerability in the processing of boot options of specific Cisco IOS XE Software switches could allow an authenticated, local attacker with root shell access to the underlying operating system (OS) to conduct a command injection attack …
- CVE-2020-3210MEDIUMCVSS 6.7EG 6.72020-06-03
A vulnerability in the CLI parsers of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated, local attacker to …
- CVE-2020-3211HIGHCVSS 7.2EG 7.22020-06-03
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to i…
- CVE-2020-3212HIGHCVSS 7.2EG 7.22020-06-03
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to i…
- CVE-2020-3219HIGHCVSS 8.8EG 8.82020-06-03
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. The vuln…
- CVE-2020-3224HIGHCVSS 8.8EG 8.82020-06-03
A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to inject IOS commands to an affected device. The injected commands should require a …
- CVE-2020-3266HIGHCVSS 7.8EG 7.82020-03-19
A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An at…
- CVE-2020-3274HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-3275HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-3276HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-3277HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-3278HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-3279HIGHCVSS 7.2EG 7.22020-06-18
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrativ…
- CVE-2020-35308CRITICALCVSS 9.8EG 9.82021-03-31
CONQUEST DICOM SERVER before 1.5.0 has a code execution vulnerability which can be exploited by attackers to execute malicious code.
- CVE-2020-35606HIGHCVSS 8.8EG 8.82020-12-21
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an …
- CVE-2020-35714HIGHCVSS 8.8EG 8.82020-12-26
Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program.
- CVE-2020-35755HIGHCVSS 7.5EG 7.52021-05-03
An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a luci_service Read_ NVRAM Direct Access Information Leak. The luci_service deamon running on port 7777 provides a sub-category of commands for which Read_ is prep…
- CVE-2020-35777HIGHCVSS 8.4EG 8.42020-12-30
NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection.
- CVE-2020-35789HIGHCVSS 8.8EG 8.82020-12-30
NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an authenticated user.
- CVE-2020-35790MEDIUMCVSS 6.4EG 6.42020-12-30
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, and R9000 before 1.0.4.26.
- CVE-2020-35791MEDIUMCVSS 6.4EG 6.42020-12-30
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7800 before 1.0.2.68, R8900 before 1.0.5.2, and R9000 before 1.0.5.2.
- CVE-2020-35792HIGHCVSS 8.3EG 8.32020-12-30
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7500v2 before 1.0.3.48, R8900 before 1.0.5.2, R9000 before 1.0.5.2, and R7800 before 1.0.2.68.
- CVE-2020-35793MEDIUMCVSS 6.1EG 6.12020-12-30
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.58, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.5.2, and R9000 before 1.0.5.2.
- CVE-2020-35794HIGHCVSS 8.4EG 8.42020-12-30
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RBS40V before 2.6.1.4, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.1…
- CVE-2020-35797CRITICALCVSS 9.8EG 9.82020-12-30
NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker.
- CVE-2020-35798CRITICALCVSS 9.3EG 9.32020-12-30
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6900P before 1.3.2.124, R7000 before 1.0.11.100, R7000P before 1.3.2.124, R7800 befor…
- CVE-2020-36198MEDIUMCVSS 6.7EG 6.72021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remove…
- CVE-2020-36376CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the list function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
- CVE-2020-36377CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the dump function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
- CVE-2020-36378CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the packageCmd function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →