CWE-78— OS Command Injection
5,586 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 64 of 112
- CVE-2023-36670CRITICALCVSS 9.8EG 9.82023-07-18
A remotely exploitable command injection vulnerability was found on the Kratos NGC-IDU 9.1.0.4. An attacker can execute arbitrary Linux commands as root by sending crafted TCP requests to the device.
- CVE-2023-36922CRITICALCVSS 9.1EG 9.12023-07-11
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extens…
- CVE-2023-37032HIGHCVSS 7.5EG 7.52025-01-21
A Stack-based buffer overflow in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthenticated cellphone by se…
- CVE-2023-37170CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function.
- CVE-2023-37171CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function.
- CVE-2023-37172CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDiagnosisCfg function.
- CVE-2023-37173CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.
- CVE-2023-37213HIGHCVSS 8.8EG 8.82023-07-30
Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection'
- CVE-2023-37249HIGHCVSS 8.8EG 8.82023-08-25
Infoblox NIOS through 8.5.1 has a faulty component that accepts malicious input without sanitization, resulting in shell access.
- CVE-2023-37292CRITICALCVSS 9.8EG 9.82023-07-21
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in HGiga iSherlock 4.5 (iSherlock-user modules), HGiga iSherlock 5.5 (iSherlock-user modules) allows OS Command Injection.This issue a…
- CVE-2023-37407HIGHCVSS 8.8EG 8.82024-05-03
IBM Aspera Orchestrator 4.0.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 260116.
- CVE-2023-3741CRITICALCVSS 9.8EG 9.82023-11-30
An OS Command injection vulnerability in NEC Platforms DT900 and DT900S Series all versions allows an attacker to execute any command on the device.
- CVE-2023-37477HIGHCVSS 7.2EG 7.22023-07-18
1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An a…
- CVE-2023-37564HIGHCVSS 8.0EG 8.02023-07-13
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versi…
- CVE-2023-37569HIGHCVSS 8.8EG 8.82023-08-08
This vulnerability exists in ESDS Emagic Data Center Management Suit due to lack of input sanitization in its Ping component. A remote authenticated attacker could exploit this by injecting OS commands on the targeted system. Successful e…
- CVE-2023-3767CRITICALCVSS 9.8EG 9.82023-09-27
An OS command injection vulnerability has been found on EasyPHP Webserver affecting version 14.1. This vulnerability could allow an attacker to get full access to the system by sending a specially crafted exploit to the /index.php?zone=se…
- CVE-2023-37861HIGHCVSS 8.8EG 8.82023-08-09
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated remote attacker can execute code with root permissions with a specially crafted HTTP POST when uploading a certificate to the device.
- CVE-2023-37863HIGHCVSS 7.2EG 7.22023-08-09
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with SNMPv2 write privileges may use an a special SNMP request to gain full access to the device.
- CVE-2023-37903CRITICALCVSS 9.8EG 9.82023-07-21
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming…
- CVE-2023-37927HIGHCVSS 8.8EG 8.82023-11-30
The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (O…
- CVE-2023-37928HIGHCVSS 8.8EG 8.82023-11-30
A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating sys…
- CVE-2023-37937HIGHCVSS 7.8EG 7.82025-01-14
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 …
- CVE-2023-38025CRITICALCVSS 9.8EG 9.82023-08-28
SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to arbitrary system commands or …
- CVE-2023-38027CRITICALCVSS 9.8EG 9.82023-08-28
SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system comma…
- CVE-2023-38031HIGHCVSS 8.8EG 8.82023-09-07
ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary comma…
- CVE-2023-38032HIGHCVSS 8.8EG 8.82023-09-07
ASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary c…
- CVE-2023-38033HIGHCVSS 8.8EG 8.82023-09-07
ASUS RT-AC86U unused Traffic Analyzer legacy Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute a…
- CVE-2023-38056HIGHCVSS 7.2EG 7.22023-07-24
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affect…
- CVE-2023-38120HIGHCVSS 8.8EG 8.82024-05-03
Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exp…
- CVE-2023-38208CRITICALCVSS 9.1EG 9.12023-08-09
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead t…
- CVE-2023-38317CRITICALCVSS 9.8EG 9.82024-01-26
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the network interface name entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.
- CVE-2023-38318CRITICALCVSS 9.8EG 9.82024-01-26
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the gateway FQDN entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.
- CVE-2023-38319CRITICALCVSS 9.8EG 9.82024-01-26
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the FAS key entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.
- CVE-2023-38323CRITICALCVSS 9.8EG 9.82024-01-26
An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the status path script entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.
- CVE-2023-38378CRITICALCVSS 9.8EG 9.82023-07-16
The web interface on the RIGOL MSO5000 digital oscilloscope with firmware 00.01.03.00.03 allows remote attackers to execute arbitrary code via shell metacharacters in pass1 to the webcontrol changepwd.cgi application.
- CVE-2023-38563HIGHCVSS 8.8EG 8.82023-09-06
Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
- CVE-2023-38568HIGHCVSS 8.8EG 8.82023-09-06
Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504' allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
- CVE-2023-38588HIGHCVSS 8.0EG 8.02023-09-06
Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
- CVE-2023-38673CRITICALCVSS 9.6EG 9.62023-07-26
PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.
- CVE-2023-38692CRITICALCVSS 9.8EG 9.82023-08-04
CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. T…
- CVE-2023-38886HIGHCVSS 7.2EG 7.22023-09-20
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
- CVE-2023-39222HIGHCVSS 8.8EG 8.82023-10-03
OS command injection vulnerability in FURUNO SYSTEMS wireless LAN access point devices allows an authenticated user to execute an arbitrary OS command that is not intended to be executed from the web interface by sending a specially crafte…
- CVE-2023-39224HIGHCVSS 8.0EG 8.02023-09-06
Archer C5 firmware all versions and Archer C7 firmware versions prior to 'Archer C7(JP)_V2_230602' allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Note that Archer C5 is no longer supported, therefore the …
- CVE-2023-39236HIGHCVSS 8.8EG 8.82023-09-07
ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary com…
- CVE-2023-39237HIGHCVSS 8.8EG 8.82023-09-07
ASUS RT-AC86U Traffic Analyzer - Apps analysis function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary…
- CVE-2023-39294MEDIUMCVSS 6.6EG 6.62024-01-05
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed th…
- CVE-2023-39295HIGHCVSS 8.8EG 8.82023-11-10
An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version…
- CVE-2023-39297HIGHCVSS 8.8EG 8.82024-02-02
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnera…
- CVE-2023-39300HIGHCVSS 7.2EG 7.22024-09-06
An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the follo…
- CVE-2023-39302MEDIUMCVSS 6.6EG 6.62024-02-02
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed th…
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →