CWE-77— Command Injection
3,752 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 44 of 76
- CVE-2024-28729CRITICALCVSS 9.8EG 9.82024-11-12
An issue in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to execute arbitrary code via a crafted request.
- CVE-2024-28739HIGHCVSS 7.2EG 9.62024-08-06
An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.
- CVE-2024-29269HIGHCVSS 8.8EG 9.02024-04-10
An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter.
- CVE-2024-29292CRITICALCVSS 9.1EG 9.12024-11-20
Multiple OS Command Injection vulnerabilities affecting Kasda LinkSmart Router KW6512 <= v1.3 enable an authenticated remote attacker to execute arbitrary OS commands via various cgi parameters.
- CVE-2024-29366HIGHCVSS 8.8EG 8.82024-03-22
A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03.
- CVE-2024-29385CRITICALCVSS 9.0EG 9.02024-03-22
DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function.
- CVE-2024-29404HIGHCVSS 7.8EG 7.82024-12-03
An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in the Profiles component.
- CVE-2024-29435MEDIUMCVSS 4.1EG 4.12024-04-01
An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter.
- CVE-2024-2947HIGHCVSS 7.3EG 7.32024-03-28
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
- CVE-2024-29737MEDIUMCVSS 4.7EG 4.72024-07-17
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is th…
- CVE-2024-2982MEDIUMCVSS 5.5EG 5.52024-03-27
A vulnerability has been found in Tenda FH1202 1.2.0.14(408) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command …
- CVE-2024-29864CRITICALCVSS 9.8EG 9.82024-03-21
Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables.
- CVE-2024-29895CRITICALCVSS 10.0EG 10.02024-05-14
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option …
- CVE-2024-2991MEDIUMCVSS 6.3EG 6.32024-03-27
A vulnerability has been found in Tenda FH1203 2.0.1.6 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. Th…
- CVE-2024-29946HIGHCVSS 8.1EG 8.12024-03-27
In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require…
- CVE-2024-29949HIGHCVSS 7.2EG 7.22024-04-02
There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands.
- CVE-2024-3009MEDIUMCVSS 6.3EG 6.32024-03-28
A vulnerability has been found in Tenda FH1205 2.0.0.7(775) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command i…
- CVE-2024-30167MEDIUMCVSS 6.3EG 6.32026-05-08
/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
- CVE-2024-30213HIGHCVSS 8.8EG 8.82024-07-12
StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution.
- CVE-2024-30220HIGHCVSS 8.8EG 8.82024-04-15
Command injection vulnerability in PLANEX COMMUNICATIONS wireless LAN routers allows a network-adjacent unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port. Note that MZK-MF300N…
- CVE-2024-30368HIGHCVSS 8.8EG 7.22024-06-06
A10 Thunder ADC CsrRequestView Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A10 Thunder ADC. Authentication is required to exploit …
- CVE-2024-30572HIGHCVSS 8.0EG 8.02024-04-03
Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the ntp_server parameter.
- CVE-2024-30637HIGHCVSS 8.8EG 8.82024-03-29
Tenda F1202 v1.2.0.20(408) has a command injection vulnerablility in the formWriteFacMac function in the mac parameter.
- CVE-2024-30891HIGHCVSS 8.8EG 8.82024-04-05
A command injection vulnerability exists in /goform/exeCommand in Tenda AC18 v15.03.05.05, which allows attackers to construct cmdinput parameters for arbitrary command execution.
- CVE-2024-3116HIGHCVSS 7.4EG 9.02024-04-04
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the datab…
- CVE-2024-31485HIGHCVSS 7.2EG 7.22024-05-14
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.30), SICORE Base system (All versions < V1.3.0). The web interface of affected devices is vulnerable to command injection due to missing serv…
- CVE-2024-3154HIGHCVSS 7.2EG 7.22024-04-26
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
- CVE-2024-31811HIGHCVSS 8.0EG 8.02024-04-08
TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the langType parameter in the setLanguageCfg function.
- CVE-2024-32022CRITICALCVSS 9.1EG 9.12024-04-16
Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to command injection in basic_caption_gui.py. This vulnerability is fixed in 23.1.5.
- CVE-2024-32025CRITICALCVSS 9.1EG 9.12024-04-16
Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to a command injection in `group_images_gui.py`. This vulnerability is fixed in 23.1.5.
- CVE-2024-32026CRITICALCVSS 9.1EG 9.12024-04-16
Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss is vulnerable to a command injection in `git_caption_gui.py`. This vulnerability is fixed in 23.1.5.
- CVE-2024-32027CRITICALCVSS 9.1EG 9.12024-04-16
Kohya_ss is a GUI for Kohya's Stable Diffusion trainers. Kohya_ss v22.6.1 is vulnerable to command injection in `finetune_gui.py` This vulnerability is fixed in 23.1.5.
- CVE-2024-32281HIGHCVSS 8.8EG 8.82024-04-17
Tenda AC7V1.0 v15.03.06.44 firmware contains a command injection vulnerablility in formexeCommand function via the cmdinput parameter.
- CVE-2024-32282MEDIUMCVSS 6.3EG 6.32024-04-17
Tenda FH1202 v1.2.0.14(408) firmware contains a command injection vulnerablility in the formexeCommand function via the cmdinput parameter.
- CVE-2024-32283HIGHCVSS 7.3EG 7.32024-04-17
Tenda FH1203 V2.0.1.6 firmware has a command injection vulnerablility in formexeCommand function via the cmdinput parameter.
- CVE-2024-32292HIGHCVSS 8.8EG 8.82024-04-17
Tenda W30E v1.0 V1.0.1.25(633) firmware contains a command injection vulnerablility in the formexeCommand function via the cmdinput parameter.
- CVE-2024-32314LOWCVSS 3.8EG 3.82024-04-17
Tenda AC500 V2.0.1.9(1307) firmware contains a command injection vulnerablility in the formexeCommand function via the cmdinput parameter.
- CVE-2024-32349MEDIUMCVSS 6.0EG 6.02024-05-14
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mtu" parameters in the "cstecgi.cgi" binary.
- CVE-2024-32353CRITICALCVSS 9.8EG 9.82024-05-14
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi.
- CVE-2024-32354MEDIUMCVSS 6.0EG 6.02024-05-14
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'timeout' parameter in the setSSServer function at /cgi-bin/cstecgi.cgi.
- CVE-2024-32355HIGHCVSS 8.0EG 8.02024-05-14
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'password' parameter in the setSSServer function.
- CVE-2024-3271CRITICALCVSS 9.8EG 9.82024-04-16
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code genera…
- CVE-2024-3273HIGHCVSS 7.3EG 9.0⚠ KEV2024-04-04
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the com…
- CVE-2024-32766CRITICALCVSS 10.0EG 10.02024-04-26
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the …
- CVE-2024-32884MEDIUMCVSS 6.4EG 6.42024-04-26
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The p…
- CVE-2024-33112HIGHCVSS 7.5EG 9.82024-05-06
D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command injection via the hnap_main()func.
- CVE-2024-33113MEDIUMCVSS 5.3EG 5.32024-05-06
D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php.
- CVE-2024-33342HIGHCVSS 7.5EG 7.52024-04-26
D-Link DIR-822+ V1.0.5 was found to contain a command injection in SetPlcNetworkpwd function of prog.cgi, which allows remote attackers to execute arbitrary commands via shell.
- CVE-2024-33344CRITICALCVSS 9.8EG 9.82024-04-26
D-Link DIR-822+ V1.0.5 was found to contain a command injection in ftext function of upload_firmware.cgi, which allows remote attackers to execute arbitrary commands via shell.
- CVE-2024-33439CRITICALCVSS 9.1EG 9.12024-11-20
An issue in Kasda LinkSmart Router KW5515 v1.7 and before allows an authenticated remote attacker to execute arbitrary OS commands via cgi parameters.
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →