Skip to main content

Product Directory Enterprise Compliance Pulse AI Analyst Compare Docs

Login Start Free

Loading...

Cloud security intelligence for modern infrastructure.

Stay informed

📬 Product updates & blog posts🛡️ CVE & vendor advisory alerts

Frequency:

Sent from noreply@echelongraph.io · Unsubscribe anytime

Product

Overview
Enterprise
Agents
AI Analyst
Pricing
Compare
vs. Competitors

Resources

CVE Pulse
Compliance Directory
Newsletter
Documentation
Readiness Calculator
Blog

Security Tools

Surface Scanner
AI Security Index
AI Threat Map
Shadow AI Radar
Shadow Engine Map

Company

Design Partners
Changelog
Contact

Legal

Privacy
Terms
Security
DPA

© 2026 EchelonGraph, Inc. All rights reserved.

SOC 2 Type IIISO 27001GDPRHIPAA Ready

Home›CVE Pulse›CWE-78

CWE-78— OS Command Injection

5,541 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →

CVEs classified under CWE-78page 46 of 111

CVE-2022-22986HIGHCVSS 8.8EG 8.8
2022-03-31
Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file.
CVE-2022-22991HIGHCVSS 7.8EG 7.8
2022-01-13
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity us…
CVE-2022-22997MEDIUMCVSS 6.8EG 9.8
2022-07-12
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.
CVE-2022-23100CRITICALCVSS 9.8EG 9.8
2022-07-27
OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).
CVE-2022-2314CRITICALCVSS 9.8EG 9.8
2022-08-15
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
CVE-2022-23389CRITICALCVSS 9.8EG 9.8
2022-02-14
PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter.
CVE-2022-23611HIGHCVSS 8.1EG 8.1
2022-02-04
iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize image file paths leading to OS level command injection. This issue has been patched in commi…
CVE-2022-23661CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23662CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23663CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23664CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23665CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23666CRITICALCVSS 9.1EG 9.1
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23667HIGHCVSS 7.2EG 7.2
2022-05-16
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23672HIGHCVSS 7.2EG 7.2
2022-05-17
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23673HIGHCVSS 7.2EG 7.2
2022-05-17
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Man…
CVE-2022-23681HIGHCVSS 7.8EG 7.8
2022-09-06
Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system l…
CVE-2022-23682HIGHCVSS 7.8EG 7.8
2022-09-06
Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system l…
CVE-2022-23683HIGHCVSS 7.2EG 7.2
2022-09-06
Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the …
CVE-2022-23900CRITICALCVSS 9.8EG 9.8
2022-04-07
A command injection vulnerability in the API of the Wavlink WL-WN531P3 router, version M31G3.V5030.201204, allows an attacker to achieve unauthorized remote code execution via a malicious POST request through /cgi-bin/adm.cgi.
CVE-2022-23935HIGHCVSS 7.8EG 9.8
2022-01-25
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.
CVE-2022-24065HIGHCVSS 8.1EG 8.1
2022-06-08
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that…
CVE-2022-24193CRITICALCVSS 9.8EG 9.8
2022-03-10
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.
CVE-2022-24237HIGHCVSS 8.8EG 8.8
2022-03-21
The snaptPowered2 component of Snapt Aria v12.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands.
CVE-2022-24288HIGHCVSS 8.8EG 9.0
2022-02-25
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
CVE-2022-24377HIGHCVSS 7.4EG 7.4
2022-12-14
The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.
CVE-2022-24388HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fideli…
CVE-2022-24389HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring …
CVE-2022-24390HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighb…
CVE-2022-24392HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially craft…
CVE-2022-24393HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. The vulnerability could allow a speciall…
CVE-2022-24394HIGHCVSS 8.8EG 8.8
2022-05-17
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. The vulnerability could allow a specially…
CVE-2022-24405CRITICALCVSS 9.8EG 9.8
2022-07-27
OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
CVE-2022-24431HIGHCVSS 7.4EG 7.4
2022-12-21
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
CVE-2022-24441MEDIUMCVSS 5.8EG 5.8
2022-11-30
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, wh…
CVE-2022-24552CRITICALCVSS 9.8EG 9.8
2022-02-06
A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject ar…
CVE-2022-24697CRITICALCVSS 9.8EG 9.8
2022-10-13
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- …
CVE-2022-24725MEDIUMCVSS 6.2EG 6.2
2022-03-03
Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `i…
CVE-2022-24753HIGHCVSS 7.7EG 7.7
2022-03-09
Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe…
CVE-2022-24796CRITICALCVSS 10.0EG 10.0
2022-03-31
RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the We…
CVE-2022-24803CRITICALCVSS 10.0EG 10.0
2022-04-01
Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system com…
CVE-2022-2486HIGHCVSS 8.0EG 9.8
2022-07-20
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The e…
CVE-2022-2487HIGHCVSS 8.0EG 9.8
2022-07-20
A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection.…
CVE-2022-2488HIGHCVSS 8.0EG 9.8
2022-07-20
A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The…
CVE-2022-25017CRITICALCVSS 9.1EG 8.8
2022-04-01
Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field.
CVE-2022-25048HIGHCVSS 8.8EG 8.8
2022-07-07
Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.
CVE-2022-25060CRITICALCVSS 9.8EG 9.8
2022-02-25
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
CVE-2022-25061CRITICALCVSS 9.8EG 9.8
2022-02-25
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
CVE-2022-25064CRITICALCVSS 9.8EG 9.8
2022-02-25
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
CVE-2022-25075CRITICALCVSS 9.8EG 9.8
2022-02-24
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

← PreviousPage 46 of 111Next →

Map vulnerabilities like CWE-78 to your infrastructure

EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.

Start Free Scan →