CWE-77— Command Injection
3,750 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 39 of 75
- CVE-2023-45351HIGHCVSS 8.8EG 8.82023-10-09
Atos Unify OpenScape 4000 Assistant V10 R1 before V10 R1.42.1, 4000 Assistant V10 R0, 4000 Manager V10 R1 before V10 R1.42.1, and 4000 Manager V10 R0 allow Authenticated Command Injection via AShbr. This is also known as OSFOURK-24039.
- CVE-2023-45355HIGHCVSS 8.8EG 8.82023-10-09
Atos Unify OpenScape 4000 Platform V10 R1 before Hotfix V10 R1.42.2 and 4000 and Manager Platform V10 R1 before Hotfix V10 R1.42.2 allow command injection by an authenticated attacker into the platform operating system, leading to administ…
- CVE-2023-45356HIGHCVSS 8.8EG 8.82023-10-09
Atos Unify OpenScape 4000 Platform V10 R1 before Hotfix V10 R1.42.2 4000 and Manager Platform V10 R1 before Hotfix V10 R1.42.2 allow command injection by an authenticated attacker into the platform operating system, leading to administrati…
- CVE-2023-45465CRITICALCVSS 9.8EG 9.82023-10-13
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the ddnsDomainName parameter in the Dynamic DNS settings.
- CVE-2023-45466CRITICALCVSS 9.8EG 9.82023-10-13
Netis N3Mv2-V1.0.1.865 was discovered to contain a command injection vulnerability via the pin_host parameter in the WPS Settings.
- CVE-2023-45498CRITICALCVSS 9.8EG 9.82023-10-27
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
- CVE-2023-45625HIGHCVSS 7.2EG 7.22023-11-14
Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2023-45852CRITICALCVSS 9.8EG 9.82023-10-14
In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.
- CVE-2023-46370CRITICALCVSS 9.8EG 9.82023-10-25
Tenda W18E V16.01.0.8(1576) has a command injection vulnerability via the hostName parameter in the formSetNetCheckTools function.
- CVE-2023-46408CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_ The 41DD80 function.
- CVE-2023-46409CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_ 41CC04 function.
- CVE-2023-46410CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_ The 416F60 function.
- CVE-2023-46411CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_415258 function.
- CVE-2023-46412CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_41D998 function.
- CVE-2023-46413CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a command execution vulnerability via the sub_4155DC function.
- CVE-2023-46414CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_ 41D494 function.
- CVE-2023-46415CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_41E588 function.
- CVE-2023-46416CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_ The 41A414 function.
- CVE-2023-46417CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_415498 function.
- CVE-2023-46418CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_412688 function.
- CVE-2023-46419CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_415730 function.
- CVE-2023-46420CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_41590C function.
- CVE-2023-46421CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_411D00 function.
- CVE-2023-46422CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_411994 function.
- CVE-2023-46423CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_417094 function.
- CVE-2023-46424CRITICALCVSS 9.8EG 9.82023-10-25
TOTOLINK X6000R v9.4.0cu.652_B20230116 was discovered to contain a remote command execution (RCE) vulnerability via the sub_422BD4 function.
- CVE-2023-46484CRITICALCVSS 9.8EG 9.82023-10-31
An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.
- CVE-2023-46485CRITICALCVSS 9.8EG 9.82023-10-31
An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.
- CVE-2023-46574CRITICALCVSS 9.8EG 9.82023-10-25
An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.
- CVE-2023-46687CRITICALCVSS 9.8EG 9.82024-02-09
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.
- CVE-2023-46976CRITICALCVSS 9.8EG 9.82023-10-31
TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.
- CVE-2023-46979CRITICALCVSS 9.8EG 9.82023-10-31
TOTOLINK X6000R V9.4.0cu.852_B20230719 was discovered to contain a command injection vulnerability via the enable parameter in the setLedCfg function.
- CVE-2023-46993CRITICALCVSS 9.8EG 9.82023-10-31
In TOTOLINK A3300R V17.0.0cu.557_B20221024 when dealing with setLedCfg request, there is no verification for the enable parameter, which can lead to command injection.
- CVE-2023-47104CRITICALCVSS 9.8EG 9.82023-10-30
tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, wh…
- CVE-2023-47218MEDIUMCVSS 5.8EG 9.02024-02-13
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the …
- CVE-2023-47253CRITICALCVSS 9.8EG 9.82023-11-06
Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter.
- CVE-2023-47268MEDIUMCVSS 5.3EG 5.32026-05-08
In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
- CVE-2023-47356HIGHCVSS 8.8EG 8.82025-07-17
Mingyu Security Gateway before v3.0-5.3p was discovered to contain a remote command execution (RCE) vulnerability via the log_type parameter at /log/fw_security.mds.
- CVE-2023-47560HIGHCVSS 7.4EG 7.42024-01-05
An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version…
- CVE-2023-47562HIGHCVSS 7.4EG 7.42024-02-02
An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following v…
- CVE-2023-47563HIGHCVSS 7.4EG 7.42024-09-06
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following v…
- CVE-2023-47576HIGHCVSS 8.8EG 8.82023-12-13
An issue was discovered in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices, allowing authenticated command injection through the web interface.
- CVE-2023-4797HIGHCVSS 7.2EG 7.22024-01-16
The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.
- CVE-2023-48702HIGHCVSS 7.2EG 7.22023-12-13
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can…
- CVE-2023-48791HIGHCVSS 8.8EG 8.82023-12-13
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to e…
- CVE-2023-48801CRITICALCVSS 9.8EG 9.82023-12-01
In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_415534 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command exec…
- CVE-2023-48842CRITICALCVSS 9.8EG 9.82023-12-01
D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.
- CVE-2023-49040CRITICALCVSS 9.8EG 9.82023-11-27
An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the adslPwd parameter in the form_fast_setting_internet_set function.
- CVE-2023-49133HIGHCVSS 8.1EG 8.12024-04-09
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build …
- CVE-2023-49134HIGHCVSS 8.1EG 8.12024-04-09
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build …
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →