CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,944 vulnerabilities with CWE-78
CVE-2026-45558 CRITICAL
Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save
CVSS 9.9
CVE-2026-45556 CRITICAL
Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`
CVSS 9.9
CVE-2026-24719 HIGH
QNAP Systems - QTS, QuTS Hero
CVSS 7.2
CVE-2026-22893 HIGH
QNAP Systems - QTS, QuTS Hero
CVSS 7.2
CVE-2026-49959 HIGH
Hermes WebUI < 0.51.311 RCE via Git Configuration Injection
CVSS 8.8
CVE-2026-38615 CRITICAL
DedeCMS V5.7.118 - OS Command Injection in file_manage_control.php
CVSS 9.8
CVE-2026-25089 CRITICAL
Fortinet FortiSandbox - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 9.8
CVE-2026-10727 HIGH
Ivanti Endpoint Manager Mobile - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 7.2
CVE-2026-10520 CRITICAL KEV
Ivanti Sentry - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 10.0
CVE-2026-9279 HIGH
Shell command injection in Logseq
CVE-2026-46746 HIGH
Siemens Sinec Ins < V1.0 SP2 Update 6 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 8.8
CVE-2026-11572 HIGH
Degit - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 8.8
CVE-2026-40519 HIGH
Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()
CVSS 7.5
CVE-2026-10544 MEDIUM
Devolutions Server - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 6.5
CVE-2026-8913 HIGH
Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration
CVE-2026-11556 HIGH
Tenda F451 Web Management WriteFacMac formWriteFacMac os command injection
CVSS 8.8
CVE-2026-25855 HIGH
OpenBullet2 0.3.2 Authenticated RCE via FileProxySource Script Upload
CVSS 8.8
CVE-2026-11408 MEDIUM
vertex-app vertex Log Viewer Endpoint LogMod.js os command injection
CVSS 6.3
CVE-2026-45777 CRITICAL
Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection
CVSS 9.8
CVE-2026-25623 MEDIUM
Arista Edge Threat Management NGFW UI Arbitrary Command Execution
CVSS 6.0
CVE-2026-25622 MEDIUM
Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection
CVSS 6.0
CVE-2026-25621 MEDIUM
Arista Edge Threat Management NGFW Reports Application Insecure Input Validation
CVSS 6.0
CVE-2026-25620 MEDIUM
Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection
CVSS 6.0
CVE-2026-46399 CRITICAL
haxtheweb haxcms-nodejs - Authenticated Remote Code Execution via File Overwrite
CVE-2026-46394 HIGH
Haxtheweb Haxcms-php < 26.0.0 - Remote Code Execution
Details
Vulnerabilities 5,944
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits