CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,553 vulnerabilities with CWE-77
CVE-2026-21257 HIGH
GitHub Copilot & VS - Command Injection
CVSS 8.0
CVE-2026-21256 HIGH
GitHub Copilot & VS - Command Injection
CVSS 8.8
CVE-2026-20841 HIGH
Windows Notepad App - Command Injection
CVSS 7.8
CVE-2026-2260 HIGH
D-Link DCS-931L < 1.13.00 - OS Command Injection via AdminID Parameter
CVSS 7.2
CVE-2026-25761 HIGH
super-linter 6.0.0-8.3.0 - Command Injection via Crafted Filename
CVSS 8.8
CVE-2026-2227 MEDIUM
D-Link DCS-931L < 1.13.00 - OS Command Injection via AdminID Parameter
CVSS 4.7
CVE-2026-2218 MEDIUM
D-Link DCS-933L < 1.14.11 - OS Command Injection via AdminID Parameter
CVSS 6.3
CVE-2026-2210 HIGH
D-Link DIR-823X 250416 - OS Command Injection via /goform/set_filtering
CVSS 7.2
CVE-2026-2194 MEDIUM
D-Link DI-7100G C1 24.04.18D1 - Remote Command Injection via start_proxy_client_email Function
CVSS 6.3
CVE-2026-2193 MEDIUM
D-Link DI-7100G C1 24.04.18D1 - OS Command Injection via usb_username Parameter
CVSS 6.3
CVE-2026-2188 HIGH
UTT 521G Firmware 3.1.1-190816 - OS Command Injection via policyNames Argument
CVSS 7.2
CVE-2026-2184 HIGH
Great Developers Certificate Generation System - OS Command Injection
CVSS 7.3
CVE-2026-2182 HIGH
UTT 521G 3.1.1-190816 - OS Command Injection via setSysAdm passwd1 Parameter
CVSS 7.2
CVE-2026-2178 MEDIUM
r-huijts xcode-mcp-server <f3419f00117aa9949e326f78cc940166c88f18cb...
CVSS 6.3
CVE-2026-2175 HIGH
D-Link DIR-823X 250416 - OS Command Injection via upnp_enable Parameter
CVSS 7.2
CVE-2026-2169 MEDIUM
D-Link DWR-M921 1.1.50 - Remote Command Injection via fota_url Parameter
CVSS 6.3
CVE-2026-2168 MEDIUM
D-Link DWR-M921 1.1.50 - Remote Command Injection via fota_url Parameter
CVSS 6.3
CVE-2026-2167 MEDIUM
Totolink WA300 5.2cu.7112_B20190227 - OS Command Injection via Ipaddr Parameter in setAPNetwork Function
CVSS 6.3
CVE-2026-2163 MEDIUM
D-Link DIR-600 Firmware < 2.15wwb02 - Remote Command Injection via ssdp.cgi HTTP_ST Parameter
CVSS 4.7
CVE-2026-2157 HIGH
D-Link DIR-823X 250416 - OS Command Injection via set_static_route_table Interface Parameter
CVSS 7.2
CVE-2026-2155 HIGH
D-Link DIR-823X 250416 - OS Command Injection via DMZ Configuration Handler
CVSS 7.2
CVE-2026-2152 HIGH
D-Link DIR-615 4.10 - OS Command Injection via adv_routing.php dest_ip/submask/gw Parameters
CVSS 7.2
CVE-2026-2151 HIGH
D-Link DIR-615 4.10 - OS Command Injection via DMZ Host Feature dmz_ipaddr Argument
CVSS 7.2
CVE-2026-2143 HIGH
D-Link DIR-823X 250416 - OS Command Injection via DDNS Service
CVSS 7.2
CVE-2026-2142 HIGH
D-Link DIR-823X 250416 - OS Command Injection via set_qos Function
CVSS 7.2
Details
Vulnerabilities 3,553
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits