CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,959 vulnerabilities with CWE-78
CVE-2026-22901
CRITICAL
QuNetSwitch < 2.0.5.0906 - Authenticated OS Command Injection
CVSS 9.8
CVE-2026-22897
CRITICAL
QuNetSwitch < 2.0.4.0415 - OS Command Injection
CVSS 9.8
CVE-2026-32950
HIGH
SQLBot: RCE via SQL Injection in Excel Upload Endpoint
CVE-2026-4465
MEDIUM
D-Link DIR-513 formSysCmd os command injection
CVSS 6.3
CVE-2026-32034
HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
CVSS 8.1
CVE-2026-32010
MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter
CVSS 6.3
CVE-2026-32003
MEDIUM
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run
CVSS 6.6
CVE-2026-32191
CRITICAL
Microsoft Bing Images Remote Code Execution Vulnerability
CVSS 9.8
CVE-2026-32238
CRITICAL
OpenEMR has Remote Code Execution in backup functionality
CVSS 9.1
CVE-2026-32000
HIGH
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
CVSS 7.1
CVE-2026-31999
MEDIUM
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback
CVSS 6.3
CVE-2026-31996
MEDIUM
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags
CVSS 4.4
CVE-2026-31995
MEDIUM
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
CVSS 5.3
CVE-2026-31994
HIGH
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation
CVSS 7.1
CVE-2026-29607
MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence
CVSS 6.8
CVE-2026-28460
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
CVSS 7.1
CVE-2026-27566
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run
CVSS 7.1
CVE-2026-22176
MEDIUM
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation
CVSS 6.1
CVE-2026-30703
CRITICAL
WiFi Extender WDR201A HW V2.1 FW LFMZX28040922V1.02 - Command Injection
CVSS 9.8
CVE-2026-32608
HIGH
Glances <4.5.2 Action Templates - Command Injection
CVSS 7.0
CVE-2026-22179
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
CVSS 7.2
CVE-2026-22169
MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
CVSS 6.7
CVE-2026-28673
HIGH
xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)
CVSS 7.2
CVE-2026-27811
HIGH
Roxy-WI <8.2.6.3 Config Compare - Authenticated Command Injection
CVSS 8.8
CVE-2026-32298
CRITICAL
Angeet ES3 KVM OS command injection
CVSS 9.1
Details
Vulnerabilities
5,959
Exploit Likelihood
High