CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,559 vulnerabilities with CWE-77
CVE-2026-1324 HIGH
Sangfor O&M Security Management System <= 3.0.12 - OS Command Injection
CVSS 8.8
CVE-2026-23947 CRITICAL
Orval < 7.19.0 and 8.0.0-rc.0-8.0.2 - Remote Code Execution via x-enumDescriptions Field
CVSS 9.8
CVE-2026-1192 HIGH
Tosei Online Store Management System 1.01 - Command Injection
CVSS 7.3
CVE-2026-1150 MEDIUM
Totolink LR350 9.3.5u.6369_B20220309 - Command Injection via setTracerouteCfg POST Parameter
CVSS 6.3
CVE-2026-1149 MEDIUM
Totolink LR350 9.3.5u.6369_B20220309 - OS Command Injection via setDiagnosisCfg ip Parameter
CVSS 6.3
CVE-2026-1125 HIGH
D-Link DIR-823X 250416 - OS Command Injection via wd_enable Parameter
CVSS 7.3
CVE-2026-1066 MEDIUM
kalcaddle kodbox <1.61.10 - Command Injection
CVSS 6.3
CVE-2026-1064 MEDIUM
Bastillion <4.0.1 - Command Injection
CVSS 4.7
CVE-2026-1063 MEDIUM
Bastillion <4.0.1 - Command Injection
CVSS 4.7
CVE-2026-0975 HIGH
DIAView < 4.4.0 - Remote Code Execution
CVSS 7.8
CVE-2026-22864 HIGH
Deno < 2.5.6 - Command Injection via Case-Insensitive Extension Bypass
CVSS 8.1
CVE-2026-22708 CRITICAL
Cursor < 2.3 - Environment Variable Manipulation via Shell Built-in Execution
CVSS 9.8
CVE-2026-22755 CRITICAL
Vivotek - Command Injection
CVE-2026-22785 CRITICAL
orval < 7.18.0 - Remote Code Execution via OpenAPI Summary Field Injection
CVSS 9.8
CVE-2026-22688 CRITICAL
WeKnora < 0.2.5 - Authenticated Command Injection via stdio_config.command/args
CVSS 9.9
CVE-2026-22601 HIGH
OpenProject < 16.6.2 - Authenticated Command Injection via Sendmail Binary Path Configuration
CVSS 7.2
CVE-2026-0732 MEDIUM
D-Link DI-8200G 17.12.20A1 - OS Command Injection via /upgrade_filter.asp path Parameter
CVSS 6.3
CVE-2026-21639 MEDIUM
UI airMAX AC <8.7.21, airMAX M <6.3.24, airFiber AF60-XG <1.2.3, AF60 <2.6.8 - RCE via airMAX Protocol
CVSS 5.4
CVE-2026-21638 HIGH
UI Ubb-xg Firmware < 1.2.3 - Command Injection
CVSS 8.8
CVE-2026-0641 MEDIUM
TOTOLINK WA300 5.2cu.7112_B20190227 - OS Command Injection via UPLOAD_FILENAME Argument
CVSS 6.3
CVE-2026-0581 MEDIUM
Tenda AC1206 Firmware 15.03.06.23 - OS Command Injection via BehaviorManager modulename Parameter
CVSS 6.3
CVE-2025-56814 HIGH
OpenCPN 5.12.0 - Remote Code Execution via wxExecute() Shell Metacharacter Injection
CVSS 7.8
CVE-2025-69600 HIGH
Raynet rvia 12.6.4392.49 - Command Injection via Find Command Argument Injection
CVSS 7.8
CVE-2025-57282 HIGH
ngrok 4.3.3/5.0.0-beta.2 - Command Injection
CVSS 8.8
CVE-2025-31951 HIGH
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability
CVSS 8.8
Details
Vulnerabilities 3,559
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits