CWE-77

High likelihood

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

3,567 vulnerabilities with CWE-77
CVE-2025-45489 CRITICAL
Linksys E5600 v1.1.0.26 - OS Command Injection via DynDNS Hostname Parameter
CVSS 9.8
CVE-2025-45488 CRITICAL
Linksys E5600 v1.1.0.26 - OS Command Injection via DynDNS mailex Parameter
CVSS 9.8
CVE-2025-45487 CRITICAL
Linksys E5600 v1.1.0.26 - OS Command Injection via runtime.InternetConnection
CVSS 9.8
CVE-2025-4357 MEDIUM
Tenda RX3 16.03.13.11_multi - OS Command Injection via /goform/telnet
CVSS 4.7
CVE-2025-4350 HIGH
D-Link DIR-600L < 2.07b01 - OS Command Injection via Wake-on-LAN Host Parameter
CVSS 8.8
CVE-2025-4349 HIGH
D-Link DIR-600L < 2.07b01 - Remote Command Injection via formSysCmd host Argument
CVSS 8.8
CVE-2025-4341 MEDIUM
D-Link DIR-880L < 104WWb01 - OS Command Injection via Request Header Handler
CVSS 6.3
CVE-2025-4340 MEDIUM
D-Link DIR-890L and DIR-806A1 < 1.08b03 - OS Command Injection via /htdocs/soap.cgi
CVSS 6.3
CVE-2025-43844 CRITICAL
Retrieval-based-Voice-Conversion-WebUI < 2.2.231006 - OS Command Injection via click_train Function
CVSS 9.8
CVE-2025-43843 CRITICAL
retrieval-based-voice-conversion-webui < 2.2.231006 - OS Command Injection via extract_f0_feature Function
CVSS 9.8
CVE-2025-43842 CRITICAL
retrieval-based-voice-conversion-webui < 2.2.231006 - OS Command Injection via preprocess_dataset Function
CVSS 9.8
CVE-2025-45042 CRITICAL
Tenda AC9 v15.03.05.14 - OS Command Injection via Telnet Function
CVSS 9.8
CVE-2025-25504 MEDIUM
Gefen WebFWC v1.85h v1.86v v1.70 - Unauthenticated Remote Code Execution via TCP Port 4444
CVSS 6.5
CVE-2025-45800 CRITICAL
TOTOLINK A950RG V4.1.2cu.5204_B20210112 - OS Command Injection via setDeviceName deviceMac Parameter
CVSS 9.8
CVE-2025-44877 CRITICAL
Tenda AC9 V15.03.06.42_multi - OS Command Injection via formSetSambaConf usbname Parameter
CVSS 9.8
CVE-2025-44872 CRITICAL
Tenda AC9 V15.03.06.42_multi - OS Command Injection via formsetUsbUnload deviceName Parameter
CVSS 9.8
CVE-2025-44868 CRITICAL
Wavlink WL-WN530H4 20220801 - OS Command Injection via pingIp Parameter
CVSS 9.8
CVE-2025-46625 HIGH
Tenda RX2 Pro 16.03.30.14 - Command Injection
CVSS 8.8
CVE-2025-44867 MEDIUM
Tenda W20E V15.11.0.6 - OS Command Injection via formSetNetCheckTools hostName Parameter
CVSS 6.3
CVE-2025-44866 MEDIUM
Tenda W20E V15.11.0.6 - OS Command Injection via formSetDebugCfg level Parameter
CVSS 6.3
CVE-2025-44865 MEDIUM
Tenda W20E V15.11.0.6 - OS Command Injection via formSetDebugCfg enable Parameter
CVSS 6.3
CVE-2025-44864 MEDIUM
Tenda W20E V15.11.0.6 - OS Command Injection via formSetDebugCfg Module Parameter
CVSS 6.3
CVE-2025-44863 MEDIUM
TOTOLINK CA300-POE V6.2c.884_B20180522 - OS Command Injection via msg_process Url Parameter
CVSS 6.5
CVE-2025-44862 MEDIUM
TOTOLINK CA300-POE V6.2c.884_B20180522 - OS Command Injection via recvUpgradeNewFw fwUrl Parameter
CVSS 6.3
CVE-2025-44861 MEDIUM
TOTOLINK CA300-POE V6.2c.884_B20180522 - OS Command Injection via CloudSrvUserdataVersionCheck URL Parameter
CVSS 6.3
Details
Vulnerabilities 3,567
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits