CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,964 vulnerabilities with CWE-78
CVE-2026-30861 CRITICAL
WeKnora 0.2.5-0.2.9 - Unauthenticated Remote Code Execution via MCP stdio Configuration Validation Bypass
CVSS 9.9
CVE-2026-25070 CRITICAL
XikeStor SKS8310-8X <1.04.B07 - Command Injection
CVSS 9.8
CVE-2026-29783 HIGH
GitHub Copilot CLI <=0.0.422 - Code Injection
CVSS 7.8
CVE-2026-29058 CRITICAL
AVideo < 7.0 - Unauthenticated OS Command Injection via base64Url GET Parameter
CVSS 9.8
CVE-2026-28507 HIGH
Idno <1.6.4 - Remote Code Execution
CVSS 7.2
CVE-2026-28470 CRITICAL
OpenClaw <2026.2.2 - Command Injection
CVSS 9.8
CVE-2026-28463 HIGH
OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Exec-Approval Allowlist
CVSS 8.4
CVE-2026-28391 CRITICAL
OpenClaw <2026.2.2 - Command Injection
CVSS 9.8
CVE-2026-28287 HIGH
FreePBX 16.0.17.2-16.0.19 & 17.0.2.4-17.0.4 - Command Injection
CVSS 8.8
CVE-2026-28209 HIGH
FreePBX 16.0.17.2-16.0.19 & 17.0.2.4-17.0.4 - Command Injection
CVSS 7.2
CVE-2026-20008 MEDIUM
Cisco ASA 9.12.1-9.16.4.85 & FTD 6.4.0-7.0.9 Authenticated OS Command Injection via Lua CLI
CVSS 6.0
CVE-2026-26478 CRITICAL
Mobvoi Tichome Mini - Command Injection
CVSS 9.8
CVE-2026-27441 CRITICAL
SEPPmail Secure Email Gateway <15.0.1 - Command Injection
CVSS 9.8
CVE-2026-28774 HIGH
IDC SFX Series SuperFlex 101 - Command Injection
CVSS 8.8
CVE-2026-28773 HIGH
IDC SFX Series 101 - Command Injection
CVSS 8.8
CVE-2026-26279 CRITICAL
froxlor < 2.3.4 - Authenticated Remote Code Execution via Email Validation Bypass
CVSS 9.1
CVE-2026-3485 CRITICAL
D-Link DIR-868L 110b03 - Command Injection
CVSS 9.8
CVE-2026-0654 HIGH
TP-Link Deco BE25 v1.0-1.1.1 - Command Injection
CVSS 8.0
CVE-2026-24101 CRITICAL
Tenda AC15V1.0 V15.03.05.18 - Command Injection
CVSS 9.8
CVE-2026-28517 CRITICAL
openDCIM < 23.04 - OS Command Injection via fac_Config.dot Parameter
CVSS 9.8
CVE-2026-28417 MEDIUM
Vim < 9.2.0073 - OS Command Injection via netrw Plugin SCP URL Handler
CVSS 4.4
CVE-2026-28409 CRITICAL
WeGIA < 3.6.5 - Authenticated Remote Code Execution via Database Restore Filename
CVSS 10.0
CVE-2026-21654 CRITICAL
Johnson Controls Frick Controls Quantum HD <=10.22 - Command Injection
CVSS 9.8
CVE-2026-0980 HIGH
rubyipmi < 0.13.0 - Authenticated Remote Code Execution via BMC Username Injection
CVSS 8.3
CVE-2026-3301 CRITICAL
Totolink N300RH 6.1c.1353_B20190305 - Command Injection
CVSS 9.8
Details
Vulnerabilities 5,964
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits