CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,964 vulnerabilities with CWE-78
CVE-2026-2175 HIGH
D-Link DIR-823X 250416 - OS Command Injection via upnp_enable Parameter
CVSS 7.2
CVE-2026-2167 MEDIUM
Totolink WA300 5.2cu.7112_B20190227 - OS Command Injection via Ipaddr Parameter in setAPNetwork Function
CVSS 6.3
CVE-2026-2157 HIGH
D-Link DIR-823X 250416 - OS Command Injection via set_static_route_table Interface Parameter
CVSS 7.2
CVE-2026-2155 HIGH
D-Link DIR-823X 250416 - OS Command Injection via DMZ Configuration Handler
CVSS 7.2
CVE-2026-2152 HIGH
D-Link DIR-615 4.10 - OS Command Injection via adv_routing.php dest_ip/submask/gw Parameters
CVSS 7.2
CVE-2026-2151 HIGH
D-Link DIR-615 4.10 - OS Command Injection via DMZ Host Feature dmz_ipaddr Argument
CVSS 7.2
CVE-2026-2143 HIGH
D-Link DIR-823X 250416 - OS Command Injection via DDNS Service
CVSS 7.2
CVE-2026-2142 HIGH
D-Link DIR-823X 250416 - OS Command Injection via set_qos Function
CVSS 7.2
CVE-2026-2131 MEDIUM
XixianLiang HarmonyOS-mcp-server <0.1.0 - Command Injection
CVSS 6.3
CVE-2026-2129 HIGH
D-Link DIR-823X 250416 - OS Command Injection via ac_ipaddr/ac_ipstatus/ap_randtime Parameters
CVSS 7.2
CVE-2026-2120 HIGH
D-Link DIR-823X 250416 - OS Command Injection via Configuration Parameter Handler
CVSS 7.2
CVE-2026-25857 HIGH
Tenda G300-F <16.01.14.2 - Command Injection
CVSS 8.8
CVE-2026-2084 HIGH
D-Link DIR-823X - Command Injection
CVSS 7.2
CVE-2026-2082 MEDIUM
D-Link DIR-823X - Command Injection
CVSS 4.7
CVE-2026-2081 MEDIUM
D-Link DIR-823X - Command Injection
CVSS 4.7
CVE-2026-25763 CRITICAL
OpenProject < 16.6.7 - Authenticated Arbitrary File Write and Remote Code Execution via Git Log Rev Parameter
CVSS 9.9
CVE-2026-1731 CRITICAL KEV
BeyondTrust Privileged Remote Access < 25.1 and Remote Support < 25.3.2 - Unauthenticated Remote Code Execution
CVSS 9.8
CVE-2026-25593 HIGH
OpenClaw < 2026.1.20 - Unauthenticated OS Command Injection via Gateway WebSocket API
CVSS 8.4
CVE-2026-25643 CRITICAL
Frigate < 0.16.4 - Remote Command Execution via go2rtc exec Directive
CVSS 9.1
CVE-2026-2063 MEDIUM
D-Link DIR-823X 250416 - Command Injection
CVSS 4.7
CVE-2026-2061 MEDIUM
D-Link DIR-823X - Command Injection
CVSS 4.7
CVE-2026-25723 MEDIUM
Claude Code < 2.0.55 - Authenticated Arbitrary File Write via Piped Sed Command Bypass
CVSS 6.5
CVE-2026-25722 CRITICAL
Claude Code < 2.0.57 - Unauthenticated Path Traversal and Arbitrary File Write via Directory Change Command
CVSS 9.1
CVE-2026-25546 HIGH
godot-mcp < 0.1.1 - Remote Code Execution via Project Path Shell Metacharacter Injection
CVSS 7.8
CVE-2026-25512 HIGH
Group-Office < 6.8.150 - Authenticated Remote Code Execution via tmp_file Parameter
CVSS 8.8
Details
Vulnerabilities 5,964
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits