CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,666 vulnerabilities with CWE-78
CVE-2026-41247 CRITICAL
elFinder: Command injection in resize background color parameter when using ImageMagick CLI
CVSS 9.8
CVE-2026-31181 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-31178 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-31177 CRITICAL
ToToLink A3300R v17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2026-41208 HIGH
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
CVSS 8.8
CVE-2026-5935 HIGH
TSSC/IMC is vulnerable to OS Command Injection
CVSS 7.3
CVE-2026-41179 CRITICAL
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
CVSS 9.8
CVE-2026-40517 HIGH
radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names
CVSS 7.8
CVE-2026-41064 CRITICAL
AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
CVSS 9.3
CVE-2026-4821 HIGH
Proxy configuration command injection vulnerability found in GitHub Enterprise Server Management Console configuration API
CVSS 7.2
CVE-2026-40933 CRITICAL
Flowise: Authenticated RCE Via MCP Adapters
CVSS 9.9
CVE-2026-21571 CRITICAL
Atlassian Bamboo Data Center < 12.1.0 to 12.1.3 - Remote Code Execution
CVE-2026-31019 HIGH
Dolibarr ERP & CRM <=22.0.4 - Authenticated RCE
CVSS 8.8
CVE-2026-40520 HIGH
FreePBX api module Command Injection via GraphQL
CVSS 7.2
CVE-2026-41036 HIGH
Command Injection Vulnerability in Quantum Networks Router QN-I-470
CVE-2026-5965 CRITICAL
NewSoft|NewSoftOA - OS Command Injection
CVSS 9.8
CVE-2026-32311 CRITICAL
Command Injection and Docker container escape allows root on host machine
CVSS 9.8
CVE-2026-26943 HIGH
Dell PowerProtect Data Domain - Command Injection
CVSS 7.2
CVE-2026-26942 MEDIUM
Dell PowerProtect Data Domain - Command Injection
CVSS 6.7
CVE-2026-24506 HIGH
Dell PowerProtect Data Domain - Command Injection
CVSS 7.2
CVE-2026-22761 MEDIUM
Dell PowerProtect Data Domain - Command Injection
CVSS 6.7
CVE-2026-23774 HIGH
Dell PowerProtect Data Domain < 8.6.0.0 or later - Command Injection
CVSS 7.2
CVE-2026-5967 HIGH
TeamT5|ThreatSonar Anti-Ransomware - Privilege Escalation
CVSS 8.8
CVE-2026-6644 CRITICAL
A command injection vulnerability was found in the PPTP VPN Clients on the ADM
CVSS 9.1
CVE-2026-35582 HIGH
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
CVSS 8.8
Details
Vulnerabilities 5,666
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits