CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,567 vulnerabilities with CWE-77
CVE-2025-7192 MEDIUM
D-Link DIR-645 Firmware < 1.05b01 - Remote Command Injection via ssdpcgi_main
CVSS 6.3
CVE-2025-53355 HIGH
MCP Server Kubernetes <2.5.0 - Command Injection
CVSS 7.5
CVE-2025-37102 HIGH
HPE Networking Instant On Access Points - Command Injection
CVSS 7.2
CVE-2025-53372 HIGH
node-code-sandbox-mcp <1.3.0 - Command Injection
CVSS 7.5
CVE-2025-7154 MEDIUM
TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216 - OS Command Injection via Hostname Parameter
CVSS 6.3
CVE-2025-7097 HIGH
Comodo Internet Security Premium 12.3.4.8162 - OS Command Injection via cis_update_x64.xml Manifest File Handler
CVSS 8.1
CVE-2025-7083 MEDIUM
Belkin F9K1122 1.00.33 - OS Command Injection via mp Function
CVSS 6.3
CVE-2025-7082 MEDIUM
Belkin F9K1122 1.00.33 - OS Command Injection via wan_ipaddr/wan_netmask/wan_gateway/wl_ssid Parameters
CVSS 6.3
CVE-2025-7081 MEDIUM
Belkin F9K1122 1.00.33 - OS Command Injection via formSetWanStatic Parameters
CVSS 6.3
CVE-2025-24333 MEDIUM
Nokia Single RAN <24R1-SR 1.0 MP - Command Injection
CVSS 6.4
CVE-2025-53104 CRITICAL
gluestack-ui <e6b4271 - Command Injection
CVSS 9.1
CVE-2025-53107 HIGH
git-mcp-server < 2.1.5 - Remote Code Execution via Shell Metacharacter Injection
CVSS 7.5
CVE-2025-52995 HIGH
filebrowser < 2.33.10 - Command Injection via Allowlist Bypass
CVSS 8.0
CVE-2025-45931 CRITICAL
D-Link DIR-816 A2 Firmware 1.10CNB05_R1B011D88210 - Remote Code Execution via system() Function in bin/goahead
CVSS 9.8
CVE-2025-6899 MEDIUM
D-Link DI-7300G+ and DI-8200G 17.12.20A1/19.12.25A1 - OS Command Injection via msp_info.htm flag/cmd/iface Parameter
CVSS 6.3
CVE-2025-6898 MEDIUM
D-Link DI-7300G+ 19.12.25A1 - OS Command Injection via proxy_client.asp
CVSS 6.3
CVE-2025-6897 MEDIUM
D-Link DI-7300G+ 19.12.25A1 - OS Command Injection via Time Parameter in httpd_debug.asp
CVSS 5.5
CVE-2025-6896 MEDIUM
D-Link DI-7300G+ 19.12.25A1 - OS Command Injection via wget_test.asp URL Parameter
CVSS 6.3
CVE-2025-53098 HIGH
roo_code < 3.20.3 - Authenticated Remote Code Execution via MCP Configuration File Injection
CVSS 8.1
CVE-2025-6775 MEDIUM
xiaoyunjie openvpn-cms-flask < 1.2.8 - OS Command Injection via User Creation Endpoint Username Parameter
CVSS 6.3
CVE-2025-6522 MEDIUM
Sight Bulb Pro Firmware ZJ_CG32-2201 <8.57.83 - Unauthenticated OS Command Injection via TCP Port 16668
CVSS 5.4
CVE-2025-5306 CRITICAL
Pandora FMS 774-778 - OS Command Injection via Netflow Directory Field
CVSS 9.8
CVE-2025-52904 HIGH
filebrowser 2.32.0 - Command Execution Scope Bypass via Execute Commands Feature
CVSS 8.0
CVE-2025-52903 HIGH
Filebrowser < 2.33.10 - Command Injection
CVSS 8.0
CVE-2025-6621 MEDIUM
TOTOLINK CA300-PoE 6.2c.884 - OS Command Injection via QuickSetting hour/minute Parameter
CVSS 6.3
Details
Vulnerabilities 3,567
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits