CWE-78— OS Command Injection
5,525 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 23 of 111
- CVE-2019-8313HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8314HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8315HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8316HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8317HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8318HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8319HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
- CVE-2019-8427CRITICALCVSS 9.8EG 9.82019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
- CVE-2019-8513HIGHCVSS 7.8EG 7.82019-12-18
This issue was addressed with improved checks. This issue is fixed in macOS Mojave 10.14.4. A local user may be able to execute arbitrary shell commands.
- CVE-2019-9117CRITICALCVSS 9.8EG 9.82019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability…
- CVE-2019-9118CRITICALCVSS 9.8EG 9.82019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability…
- CVE-2019-9119CRITICALCVSS 9.8EG 9.82019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability…
- CVE-2019-9120CRITICALCVSS 9.8EG 9.82019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability…
- CVE-2019-9121CRITICALCVSS 9.8EG 9.82019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability…
- CVE-2019-9156HIGHCVSS 8.0EG 8.02019-06-05
Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection.
- CVE-2019-9161CRITICALCVSS 9.8EG 9.82019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header…
- CVE-2019-9193HIGHCVSS 7.2EG 9.02019-04-01
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality i…
- CVE-2019-9194CRITICALCVSS 9.8EG 9.82019-02-26
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
- CVE-2019-9197HIGHCVSS 8.8EG 8.82019-12-31
The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code.
- CVE-2019-9467MEDIUMCVSS 6.7EG 6.72019-11-13
In the Bootloader, there is a possible kernel command injection due to missing command sanitization. This could lead to a local elevation of privilege with System execution privileges needed. User interaction is not needed for exploitation…
- CVE-2019-9653CRITICALCVSS 9.8EG 9.82019-05-31
NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php.
- CVE-2019-9785HIGHCVSS 7.8EG 7.82019-03-14
gitnote 3.1.0 allows remote attackers to execute arbitrary code via a crafted Markdown file, as demonstrated by a javascript:window.parent.top.require('child_process').execFile substring in the onerror attribute of an IMG element.
- CVE-2019-9804CRITICALCVSS 9.8EG 9.82019-04-26
In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This i…
- CVE-2019-9859HIGHCVSS 8.8EG 8.82020-03-10
Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to an authenticated command execution that can result in remote root access on the server. The platform works with PHP as the frontend language and uses shell scripts to ex…
- CVE-2020-0646CRITICALCVSS 9.8EG 9.8⚠ KEV2020-01-14
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka '.NET Framework Remote Code Execution Injection Vulnerability'.
- CVE-2020-10173HIGHCVSS 8.8EG 8.82020-03-05
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter…
- CVE-2020-10176CRITICALCVSS 9.8EG 9.82020-05-07
ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands.
- CVE-2020-10208CRITICALCVSS 9.9EG 9.92020-12-30
Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privile…
- CVE-2020-10209HIGHCVSS 8.1EG 8.12020-12-30
Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-the-middle attackers to execute arbitrar…
- CVE-2020-10213HIGHCVSS 8.8EG 8.82020-03-07
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also…
- CVE-2020-10215HIGHCVSS 8.8EG 8.82020-03-07
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the dns_query_name parameter in a dns_query.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
- CVE-2020-10216HIGHCVSS 8.8EG 8.82020-03-07
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
- CVE-2020-10221HIGHCVSS 8.8EG 9.0⚠ KEV2020-03-08
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
- CVE-2020-10235HIGHCVSS 8.8EG 8.82020-03-09
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExi…
- CVE-2020-10250CRITICALCVSS 9.8EG 9.82020-03-09
BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the PKG parameter to uninstall.php3.
- CVE-2020-10390HIGHCVSS 7.2EG 7.22020-03-12
OS Command Injection in export.php (vulnerable function called from include/functions-article.php) in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by saving the code to be executed as the wkhtmlt…
- CVE-2020-10511CRITICALCVSS 9.8EG 9.82020-04-15
HGiga C&Cmail CCMAILQ before olln-base-6.0-418.i386.rpm and CCMAILN before olln-base-5.0-418.i386.rpm contains insecure configurations. Attackers can exploit these flaws to access unauthorized functionality via a crafted URL.
- CVE-2020-10583HIGHCVSS 8.8EG 8.82021-03-25
The /admin/admapi.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary OS commands on the server as the user running the application.
- CVE-2020-10603HIGHCVSS 8.8EG 8.82020-04-09
WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.
- CVE-2020-10674CRITICALCVSS 9.8EG 9.82020-03-18
PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open.
- CVE-2020-10789CRITICALCVSS 9.8EG 9.82020-03-25
openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php.
- CVE-2020-10795HIGHCVSS 7.2EG 7.22020-05-07
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. This can be combined with CVE-2020-10794 for remote root access.
- CVE-2020-10808HIGHCVSS 8.8EG 8.82020-03-22
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .…
- CVE-2020-10818HIGHCVSS 7.2EG 7.22020-03-22
Artica Proxy 4.26 allows remote command execution for an authenticated user via shell metacharacters in the "Modify the hostname" field.
- CVE-2020-10826CRITICALCVSS 9.8EG 9.82020-03-26
/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode.
- CVE-2020-10879CRITICALCVSS 9.8EG 9.82020-03-23
rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.
- CVE-2020-10882HIGHCVSS 8.8EG 8.82020-03-25
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific f…
- CVE-2020-10886CRITICALCVSS 9.8EG 9.82020-03-25
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists…
- CVE-2020-10987CRITICALCVSS 9.8EG 9.8⚠ KEV2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
- CVE-2020-11016CRITICALCVSS 9.1EG 9.12020-04-30
IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with a…
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →