CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,958 vulnerabilities with CWE-78
CVE-2026-33412 MEDIUM
Vim affected by Command injection via newline in glob()
CVSS 5.6
CVE-2026-32948 HIGH
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
CVSS 7.8
CVE-2026-23920 HIGH
Zabbix 7.x Script Validation - Authenticated Command Injection
CVE-2026-33310 HIGH
Intake <2.0.9 Parameter Defaults - Command Injection
CVSS 8.8
CVE-2026-33475 CRITICAL
Langflow GitHub Actions Shell Injection
CVSS 9.1
CVE-2026-4627 HIGH
D-Link DIR-825/DIR-825R NTP Service libdeuteron_modules.so handler_update_system_time os command injection
CVSS 7.2
CVE-2026-33046 HIGH
Indico < 3.3.12 - Remote Code Execution via LaTeX Sanitizer Bypass
CVSS 8.8
CVE-2026-4611 HIGH
TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 - Command Injection
CVSS 7.2
CVE-2026-23882 HIGH
Blinko: Admin RCE - MCP Server Command Injection
CVSS 7.2
CVE-2026-33648 HIGH
WWBN AVideo <=26.0 - Command Injection
CVSS 8.8
CVE-2026-4591 MEDIUM
kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection
CVSS 4.7
CVE-2026-33482 HIGH
AVideo <=26.0 sanitizeFFmpegCommand - OS Command Injection
CVSS 8.1
CVE-2026-33478 CRITICAL
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
CVSS 10.0
CVE-2026-4585 CRITICAL
Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection
CVSS 9.8
CVE-2026-32968 CRITICAL
mbCONNECT24 < 2.19.3 - Unauthenticated RCE in com_mb24sysapi
CVSS 9.8
CVE-2026-4558 HIGH
Linksys MR9600 SmartConnect.lua smartConnectConfigure os command injection
CVSS 8.8
CVE-2026-4554 MEDIUM
Tenda F453 WriteFacMac FormWriteFacMac privilege escalation
CVSS 6.3
CVE-2026-33319 MEDIUM
AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
CVSS 5.9
CVE-2026-32056 HIGH
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
CVSS 7.5
CVE-2026-33154 HIGH
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
CVSS 7.5
CVE-2026-4499 HIGH
D-Link DIR-820LW SSDP ssdpcgi_main os command injection
CVSS 7.3
CVE-2026-4497 HIGH
Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection
CVSS 7.3
CVE-2026-4496 MEDIUM
sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
CVSS 5.3
CVE-2026-22902 MEDIUM
QuNetSwitch < 2.0.5.0906 - Local Admin OS Command Injection
CVSS 6.7
CVE-2026-22901 CRITICAL
QuNetSwitch < 2.0.5.0906 - Authenticated OS Command Injection
CVSS 9.8
Details
Vulnerabilities 5,958
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits