CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,565 vulnerabilities with CWE-77
CVE-2025-27212 CRITICAL
UniFi Access <2.14.21-1.10.32-1.7.28 - Command Injection
CVSS 9.8
CVE-2025-27211 HIGH
EdgeMAX EdgeSwitch <1.10.4 - Command Injection
CVSS 7.5
CVE-2025-54782 HIGH
nestjs/devtools-integration < 0.2.1 - Remote Code Execution via Unsafe JavaScript Sandbox
CVSS 8.8
CVE-2025-54424 HIGH
1Panel < 2.0.6 - Remote Code Execution via Incomplete Certificate Verification
CVSS 8.1
CVE-2025-54131 MEDIUM
Cursor < 1.3 - Command Injection via Backtick and Dollar Parenthesis Bypass
CVSS 6.4
CVE-2025-54564 HIGH
ChargePoint Home Flex <5.5.4.13 - Command Injection
CVSS 7.8
CVE-2025-26063 CRITICAL
Intelbras RX1500 and RX3000 Firmware - Unauthenticated Remote Code Execution via ESSID Name Injection
CVSS 9.8
CVE-2025-45619 MEDIUM
Aver PTC310UV2 Firmware 0.1.0000.59 - Remote Code Execution via SendAction Function
CVSS 6.5
CVE-2025-25692 MEDIUM
PrestaShop 8.2.0 - Remote Code Execution via PHAR Deserialization in _getHeaders
CVSS 6.5
CVE-2025-25691 MEDIUM
PrestaShop 8.2.0 - Remote Code Execution via PHAR Deserialization in Theme Import
CVSS 6.5
CVE-2025-52284 MEDIUM
Totolink X6000R V9.4.0cu.1360_B20241207 - Unauthenticated Command Injection via tz Parameter
CVSS 6.5
CVE-2025-8259 HIGH
Vaelsys VaelsysV4 < 5.1.1/5.4.1 - OS Command Injection via xajaxargs Parameter
CVSS 7.3
CVE-2025-8244 HIGH
TOTOLINK X15 1.0.0-B20230714.1105 - Buffer Overflow via formMapDelDevice macstr Parameter
CVSS 8.8
CVE-2025-54416 CRITICAL
tj-actions/branch-names < 9.0.0 - Remote Code Execution via Crafted Branch or Tag Names
CVSS 9.1
CVE-2025-29628 CRITICAL
Gardyn Home Kit Firmware < master.619 - Exposure of Sensitive Information via Insecure HTTP Connection
CVSS 9.4
CVE-2025-54377 HIGH
roo_code < 3.23.19 - OS Command Injection via Line Break Bypass
CVSS 7.8
CVE-2025-51472 MEDIUM
TransformerOptimus SuperAGI <0.0.14 - Code Injection
CVSS 6.5
CVE-2025-51459 MEDIUM
DB-GPT 0.7.0 Plugin Upload - ZIP File Code Execution
CVSS 6.5
CVE-2025-7952 MEDIUM
TOTOLINK T6 4.1.5cu.748 - Command Injection
CVSS 6.3
CVE-2025-53832 HIGH
Lara Translate MCP Server <0.0.11 - Command Injection
CVSS 7.5
CVE-2025-7932 MEDIUM
D-Link DIR-817L <1.04B01 - Command Injection
CVSS 6.3
CVE-2025-46122 CRITICAL
Ruckus Unleashed < 200.15.6.212.14 and 200.17.7.0.139 - Authenticated Remote Code Execution via Diagnostics API
CVSS 9.1
CVE-2025-7883 HIGH
Eluktronics Control Center 5.23.51.41 - Command Injection
CVSS 7.8
CVE-2025-7836 MEDIUM
D-Link DIR-816L <2.06B01 - Command Injection
CVSS 6.3
CVE-2025-54073 HIGH
mcp-package-docs < 0.1.28 - Remote Code Execution via Unsanitized Input in child_process.exec
CVSS 7.5
Details
Vulnerabilities 3,565
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits