CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,958 vulnerabilities with CWE-78
CVE-2026-34977
CRITICAL
Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command
CVSS 9.8
CVE-2026-34982
HIGH
Vim modeline bypass via various options affects Vim < 9.2.0276
CVSS 8.2
CVE-2026-34940
HIGH
KubeAI <0.23.2 Ollama Model URL - OS Command Injection
CVSS 8.7
CVE-2026-5663
HIGH
OFFIS DCMTK storescp storescp.cc executeOnEndOfStudy os command injection
CVSS 7.3
CVE-2026-31067
MEDIUM
UTT Aggressive 520W Firmware - formReleaseConnect OS Command Injection
CVSS 6.8
CVE-2026-5621
MEDIUM
ChrisChinchilla Vale-MCP HTTP index.ts os command injection
CVSS 5.3
CVE-2026-5619
MEDIUM
Braffolk mcp-summarization-functions summarize_command mcp-server.ts os command injection
CVSS 5.3
CVE-2026-5603
MEDIUM
elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection
CVSS 5.3
CVE-2026-5602
MEDIUM
Nor2-io heim-mcp new_heim_application tools.ts registerTools os command injection
CVSS 5.3
CVE-2026-5547
MEDIUM
Tenda AC10 httpd formAddMacfilterRule os command injection
CVSS 6.3
CVE-2026-5532
MEDIUM
ScrapeGraphAI scrapegraph-ai GenerateCodeNode generate_code_node.py create_sandbox_and_execute os command injection
CVSS 6.3
CVE-2026-5528
MEDIUM
MoussaabBadla code-screenshot-mcp HTTP os command injection
CVSS 6.3
CVE-2026-34955
HIGH
PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
CVSS 8.8
CVE-2026-34779
MEDIUM
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
CVSS 6.5
CVE-2026-34937
HIGH
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
CVSS 7.8
CVE-2026-34935
CRITICAL
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
CVSS 9.8
CVE-2026-28797
HIGH
RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component
CVSS 8.8
CVE-2026-5485
HIGH
OS command injection in Amazon Athena ODBC driver on Linux
CVSS 7.8
CVE-2026-35216
CRITICAL
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
CVSS 9.0
CVE-2026-25044
HIGH
Budibase: Command Injection in Bash Automation Step
CVSS 8.8
CVE-2026-5355
MEDIUM
Trendnet TEW-657BRM setup.cgi vpn_drop os command injection
CVSS 6.3
CVE-2026-5354
MEDIUM
Trendnet TEW-657BRM setup.cgi vpn_connect os command injection
CVSS 6.3
CVE-2026-5353
MEDIUM
Trendnet TEW-657BRM setup.cgi ping_test os command injection
CVSS 6.3
CVE-2026-5352
MEDIUM
Trendnet TEW-657BRM setup.cgi edit os command injection
CVSS 6.3
CVE-2026-5351
MEDIUM
Trendnet TEW-657BRM setup.cgi add_wps_client os command injection
CVSS 6.3
Details
Vulnerabilities
5,958
Exploit Likelihood
High