CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,948 vulnerabilities with CWE-78
CVE-2026-33277 HIGH
Japan Computer Emergency Response Team Coordination Center (jpcert/cc) LogonTracer < prior to v2.0.0 - Command Injection
CVSS 8.8
CVE-2026-7064 HIGH
AgentDeskAI browser-tools-mcp browser-connector.ts os command injection
CVSS 7.3
CVE-2026-7062 HIGH
Intina47 context-sync Git Integration git-integration.ts os command injection
CVSS 7.3
CVE-2026-7061 HIGH
Toowiredd chatgpt-mcp-server MCP/HTTP docker.service.ts os command injection
CVSS 7.3
CVE-2026-7037 CRITICAL
Totolink A8000RU CGI cstecgi.cgi setVpnPassCfg os command injection
CVSS 9.8
CVE-2026-6992 HIGH
Linksys MR9600 JNAP Action run_central2.sh BTRequestGetSmartConnectStatus os command injection
CVSS 7.2
CVE-2026-41421 HIGH
SiYuan Desktop Notification XSS Leads to Electron RCE
CVSS 8.8
CVE-2026-41411 MEDIUM
Vim < 9.2.0357 - OS Command Injection via Tag File Processing
CVSS 6.6
CVE-2026-33208 HIGH
Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint
CVSS 8.8
CVE-2026-6942 CRITICAL
radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass
CVSS 9.8
CVE-2026-41247 CRITICAL
elFinder: Command injection in resize background color parameter when using ImageMagick CLI
CVSS 9.8
CVE-2026-31181 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-31178 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-31177 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-41208 HIGH
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
CVSS 8.8
CVE-2026-5935 HIGH
IBM TSSC/TS4500 IMC 9.2 to 9.6 - OS Command Injection
CVSS 7.3
CVE-2026-41179 CRITICAL
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
CVSS 9.8
CVE-2026-40517 HIGH
radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names
CVSS 7.8
CVE-2026-41064 CRITICAL
AVideo <=29.0 test.php URL Handling - Command Injection
CVSS 9.3
CVE-2026-40933 CRITICAL
Flowise: Authenticated RCE Via MCP Adapters
CVSS 9.9
CVE-2026-21571 CRITICAL
Atlassian Bamboo Data Center < 12.1.0 to 12.1.3 - Remote Code Execution
CVE-2026-31019 HIGH
Dolibarr ERP & CRM <=22.0.4 - Authenticated RCE
CVSS 8.8
CVE-2026-40520 HIGH
FreePBX api module Command Injection via GraphQL
CVSS 7.2
CVE-2026-41036 HIGH
Command Injection Vulnerability in Quantum Networks Router QN-I-470
CVSS 8.8
CVE-2026-5965 CRITICAL
NewSoft|NewSoftOA - OS Command Injection
CVSS 9.8
Details
Vulnerabilities 5,948
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits