CWE-78— OS Command Injection
5,541 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 53 of 111
- CVE-2022-37083HIGHCVSS 7.8EG 7.82022-08-25
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the ip parameter at the function setDiagnosisCfg.
- CVE-2022-37123HIGHCVSS 8.8EG 8.82022-08-31
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/form2userconfig.cgi.
- CVE-2022-37129HIGHCVSS 8.8EG 8.82022-08-31
D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced into byte_4836B0 by snprintf, and finally doSystem(&byte_4836B0); will be exe…
- CVE-2022-37130CRITICALCVSS 9.8EG 9.82022-08-31
In D-Link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulti…
- CVE-2022-37149CRITICALCVSS 9.8EG 9.82022-08-30
WAVLINK WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability when operating the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.
- CVE-2022-37337CRITICALCVSS 9.1EG 8.82023-03-21
A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP reques…
- CVE-2022-37718HIGHCVSS 8.8EG 8.82023-01-23
The management portal component of JetNexus/EdgeNexus ADC 4.2.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands through a specially crafted payloa…
- CVE-2022-37810CRITICALCVSS 9.8EG 9.82022-08-25
Tenda AC1206 V15.03.06.23 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.
- CVE-2022-37860CRITICALCVSS 9.8EG 9.82022-09-12
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.
- CVE-2022-37878HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37880HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37882HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37893HIGHCVSS 7.8EG 7.82022-10-07
An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user o…
- CVE-2022-37897CRITICALCVSS 9.8EG 9.82022-12-12
There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation …
- CVE-2022-37898HIGHCVSS 7.2EG 8.82022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37899HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37900HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37901HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37902HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37912HIGHCVSS 7.2EG 8.82022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37915CRITICALCVSS 9.8EG 9.82022-10-28
A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerabili…
- CVE-2022-37924HIGHCVSS 7.2EG 7.22022-12-12
Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as roo…
- CVE-2022-38066HIGHCVSS 8.8EG 8.82023-01-26
An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request t…
- CVE-2022-38078CRITICALCVSS 9.8EG 9.82022-08-24
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS com…
- CVE-2022-38094HIGHCVSS 8.8EG 8.82022-09-08
OS command injection vulnerability in the telnet function of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote authenticated attacker to execute an arbitrary OS command.
- CVE-2022-38132HIGHCVSS 8.2EG 8.82022-08-24
Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and passw…
- CVE-2022-38308CRITICALCVSS 9.8EG 9.82022-09-14
TOTOLink A700RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the lang parameter in the function cstesystem. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
- CVE-2022-38387HIGHCVSS 7.1EG 8.82022-11-11
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 233786.
- CVE-2022-38511HIGHCVSS 7.8EG 7.82022-08-29
TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.
- CVE-2022-38531HIGHCVSS 8.8EG 8.82022-09-08
FPT G-97RG6M R4.2.98.035 and G-97RG3 R4.2.43.078 are vulnerable to Remote Command Execution in the ping function.
- CVE-2022-38534HIGHCVSS 7.2EG 7.22022-09-15
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.
- CVE-2022-38535HIGHCVSS 7.2EG 7.22022-09-15
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.
- CVE-2022-38547HIGHCVSS 7.2EG 7.22023-02-07
A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, a…
- CVE-2022-38649CRITICALCVSS 9.8EG 9.82022-11-22
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, withou…
- CVE-2022-3874HIGHCVSS 8.0EG 9.12023-09-22
A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in a…
- CVE-2022-38826CRITICALCVSS 9.8EG 9.82022-09-16
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.
- CVE-2022-38828CRITICALCVSS 9.8EG 9.82022-09-16
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi
- CVE-2022-38841HIGHCVSS 8.8EG 8.82023-04-16
Linksys AX3200 1.1.00 is vulnerable to OS command injection by authenticated users via shell metacharacters to the diagnostics traceroute page.
- CVE-2022-39057HIGHCVSS 7.2EG 7.22022-10-18
RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt …
- CVE-2022-39224HIGHCVSS 7.0EG 7.02022-09-21
Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `e…
- CVE-2022-39321HIGHCVSS 8.8EG 8.82022-10-25
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for ho…
- CVE-2022-39327HIGHCVSS 8.1EG 8.12022-10-25
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where pa…
- CVE-2022-39815CRITICALCVSS 9.8EG 9.82022-09-13
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system.
- CVE-2022-39818HIGHCVSS 8.8EG 8.82023-12-25
In NOKIA NFM-T R19.9, an OS Command Injection vulnerability occurs in /cgi-bin/R19.9/log.pl of the VM Manager WebUI via the cmd HTTP GET parameter. This allows authenticated users to execute commands, with root privileges, on the operating…
- CVE-2022-39819HIGHCVSS 8.8EG 8.82022-09-13
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system.
- CVE-2022-39947HIGHCVSS 8.8EG 8.82023-01-03
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC ver…
- CVE-2022-39951HIGHCVSS 7.2EG 8.82023-03-07
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unau…
- CVE-2022-40005HIGHCVSS 8.8EG 8.82022-12-25
Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.
- CVE-2022-40176HIGHCVSS 8.0EG 8.02022-10-11
A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), …
- CVE-2022-40189CRITICALCVSS 9.8EG 9.82022-11-22
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without …
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →