CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,958 vulnerabilities with CWE-78
CVE-2026-30815 HIGH
OS Command Injection Vulnerability in OpenVPN Module in TP-Link AX53
CVSS 8.0
CVE-2026-27806 HIGH
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
CVSS 7.8
CVE-2026-5208 HIGH
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold
CVSS 8.2
CVE-2026-5741 HIGH
suvarchal docker-mcp-server HTTP index.ts pull_image os command injection
CVSS 7.3
CVE-2026-39382 CRITICAL
dbt Reusable Workflow comment-body - Command Injection
CVE-2026-4631 CRITICAL
Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection
CVSS 9.8
CVE-2026-35585 HIGH
File Browser 2.0.0-2.63.1 Hook Runner - Command Injection
CVSS 7.2
CVE-2026-35581 HIGH
Emissary <8.39.0 Executrix PLACE_NAME - Command Injection
CVSS 7.2
CVE-2026-35521 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
CVSS 8.8
CVE-2026-35520 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
CVSS 8.8
CVE-2026-35519 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
CVSS 8.8
CVE-2026-35518 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
CVSS 8.8
CVE-2026-35517 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
CVSS 8.8
CVE-2026-35463 HIGH
pyLoad has Improper Neutralization of Special Elements used in an OS Command
CVSS 8.8
CVE-2026-5692 HIGH
Totolink A7100RU cstecgi.cgi setGameSpeedCfg os command injection
CVSS 7.3
CVE-2026-5691 HIGH
Totolink A7100RU cstecgi.cgi setFirewallType os command injection
CVSS 7.3
CVE-2026-5690 HIGH
Totolink A7100RU cstecgi.cgi setRemoteCfg os command injection
CVSS 7.3
CVE-2026-5689 HIGH
Totolink A7100RU cstecgi.cgi setNtpCfg os command injection
CVSS 7.3
CVE-2026-5688 HIGH
Totolink A7100RU cstecgi.cgi setDdnsCfg os command injection
CVSS 7.3
CVE-2026-5709 HIGH
AWS Research and Engineering Studio (RES) FileBrowser Command Injection
CVSS 8.8
CVE-2026-5707 HIGH
Command Injection via Virtual Desktop Session Name in AWS Research and Engineering Studio (RES)
CVSS 8.8
CVE-2026-5679 MEDIUM
Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection
CVSS 5.5
CVE-2026-5678 HIGH
Totolink A7100RU cstecgi.cgi setScheduleCfg os command injection
CVSS 7.3
CVE-2026-5677 HIGH
Totolink A7100RU cstecgi.cgi CsteSystem os command injection
CVSS 7.3
CVE-2026-35043 HIGH
BentoML: command injection in cloud deployment setup script (deployment.py)
CVSS 7.8
Details
Vulnerabilities 5,958
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits