CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,958 vulnerabilities with CWE-78
CVE-2026-33030 HIGH
Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys
CVSS 8.8
CVE-2026-5101 MEDIUM
Totolink A3300R Parameter cstecgi.cgi setLanCfg command injection
CVSS 6.3
CVE-2026-4946 HIGH
NSA Ghidra Auto-Analysis Annotation Command Execution
CVSS 8.8
CVE-2026-34005 HIGH
Xiongmai DVR/NVR devices 4.03.R11 - Authenticated OS Command Injection via HostName Parameter
CVSS 8.8
CVE-2026-5023 MEDIUM
DeDeveloper23 codebase-mcp RepoMix codebase.ts saveCodebase os command injection
CVSS 5.3
CVE-2026-5012 HIGH
elecV2 elecV2P rpc pm2run os command injection
CVSS 7.3
CVE-2026-5007 MEDIUM
kazuph mcp-docs-rag add_git_repository/add_text_file index.ts cloneRepository os command injection
CVSS 5.3
CVE-2026-33874 HIGH
Authenticator vulnerable to Remote Code Execution
CVSS 7.8
CVE-2026-33765 CRITICAL
Pi-hole Web <6.0 savesettings.php - Command Injection
CVSS 9.8
CVE-2026-34387 CRITICAL
Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
CVSS 9.8
CVE-2026-30302 CRITICAL
CodeRider-Kilo - Command Injection via Auto-Approval Module
CVSS 10.0
CVE-2026-30303 CRITICAL
Axon Code - Command Injection via Auto-Approval Module
CVSS 9.8
CVE-2026-4622 CRITICAL
Aterm Series - OS Command Injection via Network
CVSS 9.8
CVE-2026-4620 CRITICAL
NEC Aterm WX1500HP and WX3600HP - OS Command Injection
CVSS 9.8
CVE-2026-27650 CRITICAL
BUFFALO Wi-Fi router products - OS Command Injection
CVSS 9.8
CVE-2026-33718 HIGH
OpenHands is Vulnerable to Command Injection through its Git Diff Handler
CVSS 7.6
CVE-2026-33623 MEDIUM
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution
CVSS 6.7
CVE-2026-26213 CRITICAL
thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal
CVSS 9.8
CVE-2026-33396 CRITICAL
OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe
CVSS 9.9
CVE-2026-1961 HIGH
Forman: foreman: remote code execution via command injection in websocket proxy
CVSS 8.0
CVE-2026-4840 HIGH
Netcore Power 15AX Diagnostic Tool netis.cgi setTools os command injection
CVSS 8.8
CVE-2026-27602 HIGH
Modoboa <2.7.1 Domain Names - Authenticated OS Command Injection
CVSS 7.2
CVE-2026-26833 CRITICAL
thumbler <=1.1.2 - Command Injection
CVSS 9.8
CVE-2026-26832 CRITICAL
node-tesseract-ocr through 2.2.1 - Command Injection
CVSS 9.8
CVE-2026-26831 CRITICAL
textract through 2.5.0 - Command Injection
CVSS 9.8
Details
Vulnerabilities 5,958
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits