CWE-78— OS Command Injection
5,541 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 44 of 111
- CVE-2021-45987CRITICALCVSS 9.8EG 9.82022-02-04
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter.
- CVE-2021-46007CRITICALCVSS 9.8EG 9.82022-03-30
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.
- CVE-2021-46314CRITICALCVSS 9.8EG 9.82022-02-17
A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection w…
- CVE-2021-46315CRITICALCVSS 9.8EG 9.82022-02-17
Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicoius users can use this vulnerability to use "\ " or backticks…
- CVE-2021-46319CRITICALCVSS 9.8EG 9.82022-02-17
Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicious users can use this vulnerability to use "\ " or backticks to bypass the shell metacharacters in t…
- CVE-2021-46422CRITICALCVSS 9.8EG 9.82022-04-27
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
- CVE-2021-46441HIGHCVSS 8.8EG 8.82022-04-27
In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization.
- CVE-2021-46686CRITICALCVSS 9.8EG 9.82025-02-18
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS comman…
- CVE-2021-46704CRITICALCVSS 9.8EG 9.82022-03-06
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined wit…
- CVE-2021-47667CRITICALCVSS 10.0EG 10.02025-04-05
An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping o…
- CVE-2021-47728CRITICALCVSS 9.8EG 9.82025-12-09
Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject comm…
- CVE-2021-47745HIGHCVSS 8.8EG 8.82025-12-31
Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config…
- CVE-2021-47747HIGHCVSS 8.8EG 8.82025-12-31
meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the 'COMMANDx' and 'LIVECOMMANDx' POST parameters to execute arbitrary system commands w…
- CVE-2021-47748CRITICALCVSS 9.8EG 9.82026-01-21
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious Gra…
- CVE-2021-47794HIGHCVSS 8.8EG 8.82026-01-16
ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a revers…
- CVE-2021-47816HIGHCVSS 8.8EG 8.82026-01-16
Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and …
- CVE-2021-47851CRITICALCVSS 9.8EG 9.82026-01-21
Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads …
- CVE-2021-47903HIGHCVSS 8.8EG 8.82026-01-23
LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the ser…
- CVE-2022-0365CRITICALCVSS 9.1EG 9.12022-02-04
The affected product is vulnerable to an authenticated OS command injection, which may allow an attacker to inject and execute arbitrary shell commands as the Admin (root) user.
- CVE-2022-0557HIGHCVSS 7.2EG 7.22022-02-11
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.
- CVE-2022-0764MEDIUMCVSS 6.7EG 6.72022-02-26
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
- CVE-2022-0841CRITICALCVSS 9.8EG 9.82022-03-03
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.
- CVE-2022-0848CRITICALCVSS 9.8EG 9.82022-03-04
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
- CVE-2022-0999HIGHCVSS 8.8EG 8.82022-04-11
An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior.
- CVE-2022-1030HIGHCVSS 8.8EG 8.82022-03-23
Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a…
- CVE-2022-1262HIGHCVSS 7.8EG 7.82022-04-11
A command injection vulnerability in the protest binary allows an attacker with access to the remote command line interface to execute arbitrary commands as root.
- CVE-2022-1292HIGHCVSS 7.3EG 9.82022-05-03
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker c…
- CVE-2022-1356HIGHCVSS 7.1EG 7.82022-05-17
cnMaestro is vulnerable to a local privilege escalation. By default, a user does not have root privileges. However, a user can run scripts as sudo, which could allow an attacker to gain root privileges when running user scripts outside all…
- CVE-2022-1357CRITICALCVSS 9.8EG 9.82022-05-17
The affected On-Premise cnMaestro allows an unauthenticated attacker to access the cnMaestro server and execute arbitrary code in the privileges of the web server. This lack of validation could allow an attacker to append arbitrary data to…
- CVE-2022-1359MEDIUMCVSS 5.7EG 7.52022-05-17
The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route. If an attacker supplied path traversal charters (../) as part of a file…
- CVE-2022-1360HIGHCVSS 8.2EG 9.82022-05-17
The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server. This could allow a remote attacker to change server configuration settings.
- CVE-2022-1362MEDIUMCVSS 5.0EG 7.32022-05-17
The affected On-Premise cnMaestro is vulnerable inside a specific route where a user can upload a crafted package to the system. An attacker could abuse this user-controlled data to execute arbitrary commands on the server.
- CVE-2022-1410HIGHCVSS 8.0EG 8.82022-08-17
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior vers…
- CVE-2022-1440CRITICALCVSS 9.8EG 9.82022-04-22
Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported …
- CVE-2022-1513HIGHCVSS 7.3EG 8.82022-08-23
A potential vulnerability was reported in Lenovo PCManager prior to version 5.0.10.4191 that may allow code execution when visiting a specially crafted website.
- CVE-2022-1703HIGHCVSS 8.8EG 8.82022-06-08
Improper neutralization of special elements in the SonicWall SSL-VPN SMA100 series management interface allows a remote authenticated attacker to inject OS Commands which potentially leads to remote command execution vulnerability or denia…
- CVE-2022-1813CRITICALCVSS 9.8EG 9.82022-05-22
OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.
- CVE-2022-1884CRITICALCVSS 9.8EG 9.82024-11-15
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tr…
- CVE-2022-1986CRITICALCVSS 9.8EG 9.82022-06-09
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-2024CRITICALCVSS 9.8EG 9.82023-02-25
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
- CVE-2022-20617HIGHCVSS 8.8EG 8.82022-01-12
Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a…
- CVE-2022-20650HIGHCVSS 8.8EG 8.82022-02-23
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation of user supplied data…
- CVE-2022-20652MEDIUMCVSS 6.5EG 6.52024-11-15
A vulnerability in the web-based management interface and in the API subsystem of Cisco Tetration could allow an authenticated, remote attacker to inject arbitrary commands to be executed with root-level privileges on the underlying o…
- CVE-2022-20655HIGHCVSS 8.8EG 8.82024-11-15
A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argum…
- CVE-2022-2068HIGHCVSS 7.3EG 9.82022-06-21
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When t…
- CVE-2022-20693MEDIUMCVSS 4.7EG 7.22022-04-15
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker…
- CVE-2022-20708CRITICALCVSS 10.0EG 10.0⚠ KEV2022-02-10
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication a…
- CVE-2022-20718MEDIUMCVSS 5.5EG 7.22022-04-15
Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying …
- CVE-2022-20797MEDIUMCVSS 5.5EG 9.12022-05-27
A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administrator on the underly…
- CVE-2022-20799MEDIUMCVSS 4.7EG 7.22022-05-04
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an …
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →