CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,559 vulnerabilities with CWE-77
CVE-2025-69542 CRITICAL
D-Link DIR-895LA1 v102b07 - OS Command Injection via DHCP Hostname Parameter
CVSS 9.8
CVE-2025-64093 CRITICAL
Zenitel ICX500 and ICX510 Firmware < 1.4.3.3 - Unauthenticated Remote Code Execution via Hostname Injection
CVSS 10.0
CVE-2025-64090 CRITICAL
TCIS-3 Firmware < 9.2.3.3 - Authenticated Command Injection via Device Hostname
CVSS 10.0
CVE-2025-59470 CRITICAL
Veeam Backup & Replication 13.0.0.4967-13.0.1.1071 - Authenticated Remote Code Execution via Interval or Order Parameter
CVSS 9.0
CVE-2025-59468 CRITICAL
Veeam Backup & Replication 13.0.0.4967-13.0.1.1071 - Authenticated RCE via Password Parameter
CVSS 9.0
CVE-2025-56425 CRITICAL
enaio 10.10.0.0-10.10.0.183, 11.0.0-11.0.0.183, 11.10.0-11.10.0.183 - SMTP Command Injection via AppConnector Sendmail
CVSS 9.1
CVE-2025-55125 HIGH
Veeam Backup and Replication - Backup Operator Root Code Execution
CVSS 7.8
CVE-2025-67089 HIGH
GL-iNet GL-AXT1800 Firmware 4.6.8 - Authenticated Command Injection via plugins.install_package RPC Method
CVSS 8.1
CVE-2025-61492 CRITICAL
Terminal-Controller-MCP 0.1.7 - Command Injection
CVSS 10.0
CVE-2025-61489 MEDIUM
sonirico mcp-shell <0.3.1 - Command Injection
CVSS 6.5
CVE-2025-15472 HIGH
TRENDnet TEW-811DRU 1.0.2.0 - OS Command Injection via DeviceURL Parameter
CVSS 7.2
CVE-2025-15471 CRITICAL
TRENDnet TEW-713RE 1.02 - Command Injection
CVSS 9.8
CVE-2025-64424 HIGH
Coolify <= 4.0.0-beta.434 - Authenticated Command Injection via Git Source Input Fields
CVSS 8.8
CVE-2025-64419 CRITICAL
Coolify < 4.0.0-beta.445 - Remote Code Execution via Docker Compose Parameters
CVSS 9.6
CVE-2025-67397 CRITICAL
passy 1.6.3 - Authenticated Remote Code Execution via HTTP Request Payload Injection
CVSS 9.1
CVE-2025-15391 MEDIUM
D-Link DIR-806A 100CNb11 - OS Command Injection in SSDP Request Handler
CVSS 6.3
CVE-2025-15357 MEDIUM
D-Link DI-7400G+ 19.12.25A1 - OS Command Injection via cmd Parameter
CVSS 6.3
CVE-2025-69256 HIGH
Serverless Framework 4.29.0-4.29.3 - Remote Code Execution via MCP Server Input Injection
CVSS 7.5
CVE-2025-15257 HIGH
Edimax BR-6208AC 1.02/1.03 - Command Injection via Web Configuration Interface
CVSS 7.3
CVE-2025-15256 HIGH
Edimax BR-6208AC 1.02-1.03 - OS Command Injection via formStaDrvSetup rootAPmac Parameter
CVSS 7.3
CVE-2025-15254 MEDIUM
Tenda W6-S 1.0.0.4(510) - OS Command Injection via TendaAte Function
CVSS 6.3
CVE-2025-69201 CRITICAL
Tugtainer <1.15.1 - Command Injection
CVSS 9.8
CVE-2025-15192 MEDIUM
D-Link DWR-M920 < 1.1.50 - Remote Command Injection via formLtefotaUpgradeQuectel fota_url Parameter
CVSS 6.3
CVE-2025-15191 MEDIUM
D-Link DWR-M920 < 1.1.50 - OS Command Injection via formLtefotaUpgradeFibocom fota_url Parameter
CVSS 6.3
CVE-2025-15139 MEDIUM
TRENDnet TEW-822DRE 1.00B21/1.01B06 - Remote Command Injection via peerPin Argument
CVSS 6.3
Details
Vulnerabilities 3,559
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits