CWE-77— Command Injection
3,748 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 29 of 75
- CVE-2022-40752CRITICALCVSS 9.8EG 9.82022-11-16
IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. IBM X-Force ID: 236687.
- CVE-2022-40765MEDIUMCVSS 6.8EG 9.0⚠ KEV2022-11-22
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of…
- CVE-2022-40770HIGHCVSS 7.2EG 7.22022-11-23
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
- CVE-2022-40785HIGHCVSS 8.8EG 8.82022-09-26
Unsanitized input when setting a locale file leads to shell injection in mIPC camera firmware 5.3.1.2003161406. This allows an attacker to gain remote code execution on cameras running the firmware when a victim logs into a specially craft…
- CVE-2022-40881CRITICALCVSS 9.8EG 9.82022-11-17
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
- CVE-2022-41518CRITICALCVSS 9.8EG 9.82022-10-06
TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi.
- CVE-2022-41617HIGHCVSS 7.2EG 7.22022-10-19
In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iC…
- CVE-2022-41800HIGHCVSS 8.7EG 9.02022-12-07
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can …
- CVE-2022-41870HIGHCVSS 7.2EG 9.82022-09-30
AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload.
- CVE-2022-41955HIGHCVSS 8.8EG 8.82023-01-14
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution v…
- CVE-2022-42156HIGHCVSS 8.8EG 8.82022-10-13
D-Link COVR 1200,1203 v1.08 was discovered to contain a command injection vulnerability via the tomography_ping_number parameter at function SetNetworkTomographySettings.
- CVE-2022-42160HIGHCVSS 8.8EG 8.82022-10-13
D-Link COVR 1200,1202,1203 v1.08 was discovered to contain a command injection vulnerability via the system_time_timezone parameter at function SetNTPServerSettings.
- CVE-2022-42161HIGHCVSS 8.8EG 8.82022-10-13
D-Link COVR 1200,1202,1203 v1.08 was discovered to contain a command injection vulnerability via the /SetTriggerWPS/PIN parameter at function SetTriggerWPS.
- CVE-2022-42187MEDIUMCVSS 6.1EG 6.12022-11-17
Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.
- CVE-2022-42221HIGHCVSS 8.8EG 8.82022-10-17
Netgear R6220 v1.1.0.114_1.0.1 suffers from Incorrect Access Control, resulting in a command injection vulnerability.
- CVE-2022-42897CRITICALCVSS 9.8EG 9.82022-10-13
Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows unauthenticated command injection that leads to privilege escalation and control of the system. NOTE: ArrayOS AG 10.x is unaffected.
- CVE-2022-42904HIGHCVSS 7.2EG 7.22022-11-18
Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.
- CVE-2022-42906HIGHCVSS 7.8EG 7.82022-10-13
powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerl…
- CVE-2022-42999HIGHCVSS 7.5EG 7.52022-10-26
D-Link DIR-816 A2 1.10 B05 was discovered to contain multiple command injection vulnerabilities via the admuser and admpass parameters at /goform/setSysAdm.
- CVE-2022-43109CRITICALCVSS 9.8EG 9.82022-11-03
D-Link DIR-823G v1.0.2 was found to contain a command injection vulnerability in the function SetNetworkTomographySettings. This vulnerability allows attackers to execute arbitrary commands via a crafted packet.
- CVE-2022-43184CRITICALCVSS 9.8EG 9.82022-10-19
D-Link DIR878 1.30B08 Hotfix_04 was discovered to contain a command injection vulnerability via the component /bin/proc.cgi.
- CVE-2022-43367CRITICALCVSS 9.8EG 9.82022-10-27
IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the formSetDebugCfg function.
- CVE-2022-43536HIGHCVSS 7.2EG 8.82023-01-05
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as …
- CVE-2022-43537HIGHCVSS 7.2EG 7.22023-01-05
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as …
- CVE-2022-43538HIGHCVSS 7.2EG 7.22023-01-05
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as …
- CVE-2022-43550CRITICALCVSS 9.8EG 9.82023-02-09
A command injection vulnerability exists in Jitsi before commit 8aa7be58522f4264078d54752aae5483bfd854b2 when launching browsers on Windows which could allow an attacker to insert an arbitrary URL which opens up the opportunity to remote e…
- CVE-2022-43623MEDIUMCVSS 6.8EG 6.82023-03-29
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechan…
- CVE-2022-4364HIGHCVSS 7.3EG 9.82022-12-08
A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. Affected by this issue is some unknown functionality of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command…
- CVE-2022-43781CRITICALCVSS 9.8EG 9.82022-11-17
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerab…
- CVE-2022-44249CRITICALCVSS 9.8EG 9.82022-11-23
TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function.
- CVE-2022-44250CRITICALCVSS 9.8EG 9.82022-11-23
TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the hostName parameter in the setOpModeCfg function.
- CVE-2022-44251CRITICALCVSS 9.8EG 9.82022-11-23
TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function.
- CVE-2022-44252CRITICALCVSS 9.8EG 9.82022-11-23
TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the setUploadSetting function.
- CVE-2022-44621CRITICALCVSS 9.8EG 9.82022-12-30
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
- CVE-2022-44832CRITICALCVSS 9.8EG 9.82022-12-14
D-Link DIR-3040 device with firmware 120B03 was discovered to contain a command injection vulnerability via the SetTriggerLEDBlink function.
- CVE-2022-44844CRITICALCVSS 9.8EG 9.82022-11-25
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the pass parameter in the setting/setOpenVpnCfg function.
- CVE-2022-44928CRITICALCVSS 9.8EG 9.82022-12-02
D-Link DVG-G5402SP GE_1.03 was discovered to contain a command injection vulnerability via the Maintenance function.
- CVE-2022-44930CRITICALCVSS 9.8EG 9.82022-12-02
D-Link DHP-W310AV 3.10EU was discovered to contain a command injection vulnerability via the System Checks function.
- CVE-2022-45005CRITICALCVSS 9.8EG 9.82022-12-13
IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the cmd_get_ping_output function.
- CVE-2022-45025CRITICALCVSS 9.8EG 9.82022-12-07
Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom was discovered to contain a command injection vulnerability via the PDF file import function.
- CVE-2022-45043HIGHCVSS 8.8EG 8.82022-12-12
Tenda AX12 V22.03.01.16_cn is vulnerable to command injection via goform/fast_setting_internet_set.
- CVE-2022-45063CRITICALCVSS 9.8EG 9.82022-11-10
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default confi…
- CVE-2022-45094HIGHCVSS 8.4EG 8.82023-01-10
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product, could potentially inject commands into the dhc…
- CVE-2022-45095MEDIUMCVSS 6.7EG 6.72023-02-01
Dell PowerScale OneFS, 8.2.x-9.4.x, contain a command injection vulnerability. An authenticated user having access local shell and having the privilege to gather logs from the cluster could potentially exploit this vulnerability, leading …
- CVE-2022-45104HIGHCVSS 8.8EG 8.82023-02-11
Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain a command execution vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to execute a…
- CVE-2022-45462CRITICALCVSS 9.8EG 9.82022-11-23
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher
- CVE-2022-45497CRITICALCVSS 9.8EG 9.82022-12-08
Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.
- CVE-2022-45506CRITICALCVSS 9.8EG 9.82022-12-08
Tenda W30E v1.0.1.25(633) was discovered to contain a command injection vulnerability via the fileNameMit parameter at /goform/delFileName.
- CVE-2022-45600HIGHCVSS 8.8EG 8.82023-02-22
Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges b…
- CVE-2022-45699CRITICALCVSS 9.8EG 9.82023-02-10
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →