CWE-78— OS Command Injection
5,541 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 47 of 111
- CVE-2022-25076CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25077CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25078CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25079CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25080CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25081CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25082CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING pa…
- CVE-2022-25083CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25084CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25168CRITICALCVSS 9.8EG 9.82022-08-04
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, whi…
- CVE-2022-25171HIGHCVSS 7.4EG 7.42022-12-20
The package p4 before 0.0.7 are vulnerable to Command Injection via the run() function due to improper input sanitization
- CVE-2022-25173HIGHCVSS 8.8EG 8.82022-02-15
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to in…
- CVE-2022-25174HIGHCVSS 8.8EG 8.82022-02-15
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands o…
- CVE-2022-25175HIGHCVSS 8.8EG 8.82022-02-15
Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the cont…
- CVE-2022-25263CRITICALCVSS 9.8EG 9.82022-02-25
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
- CVE-2022-25328MEDIUMCVSS 5.0EG 5.02022-02-25
The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially esc…
- CVE-2022-25350HIGHCVSS 7.4EG 7.82023-01-26
All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.
- CVE-2022-25438CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the SetIPTVCfg function.
- CVE-2022-25441CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the vlanid parameter in the SetIPTVCfg function.
- CVE-2022-2550HIGHCVSS 8.8EG 8.82022-07-27
OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.
- CVE-2022-25597HIGHCVSS 8.8EG 8.82022-04-07
ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate serv…
- CVE-2022-25621CRITICALCVSS 9.8EG 9.82022-03-11
UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE W…
- CVE-2022-25853HIGHCVSS 7.4EG 7.82023-02-06
All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.
- CVE-2022-25855HIGHCVSS 7.4EG 7.82023-02-06
All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
- CVE-2022-25860HIGHCVSS 8.1EG 8.12023-01-26
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix…
- CVE-2022-25890HIGHCVSS 7.4EG 9.82023-01-09
All versions of the package wifey are vulnerable to Command Injection via the connect() function due to improper input sanitization.
- CVE-2022-25906HIGHCVSS 7.4EG 7.82023-02-01
All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.
- CVE-2022-25908HIGHCVSS 7.4EG 9.82023-01-26
All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
- CVE-2022-25912HIGHCVSS 8.1EG 8.12022-12-06
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-240…
- CVE-2022-25916HIGHCVSS 7.4EG 7.42023-02-01
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
- CVE-2022-25923HIGHCVSS 7.4EG 7.42023-01-06
Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.
- CVE-2022-25926HIGHCVSS 7.4EG 7.42023-01-04
Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization.
- CVE-2022-25962HIGHCVSS 7.4EG 9.82023-01-26
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
- CVE-2022-26007HIGHCVSS 7.2EG 7.22022-05-12
An OS command injection vulnerability exists in the console factory functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to command execution. An attacker can send a sequence of requests to trig…
- CVE-2022-26042HIGHCVSS 8.8EG 8.82022-05-12
An OS command injection vulnerability exists in the daretools binary functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of reque…
- CVE-2022-26075HIGHCVSS 8.8EG 8.82022-05-12
An OS command injection vulnerability exists in the console infactory_wlan functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a seque…
- CVE-2022-26085HIGHCVSS 8.8EG 8.82022-05-12
An OS command injection vulnerability exists in the httpd wlscan_ASP functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP …
- CVE-2022-26147CRITICALCVSS 9.8EG 9.82022-06-21
The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.
- CVE-2022-26206CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26207CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26208CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26209CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26210CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26211CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26212CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26213CRITICALCVSS 9.8EG 9.82022-03-15
Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted r…
- CVE-2022-26214CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26258CRITICALCVSS 9.8EG 9.8⚠ KEV2022-03-28
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
- CVE-2022-26265CRITICALCVSS 9.8EG 9.82022-03-18
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.
- CVE-2022-26289CRITICALCVSS 9.8EG 9.82022-03-24
Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/exeCommand.
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →