CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,964 vulnerabilities with CWE-78
CVE-2026-25157
HIGH
OpenClaw < 2026.1.29 - OS Command Injection via Project Root Path in sshNodeCommand
CVSS 7.7
CVE-2026-25143
HIGH
melange 0.10.0-0.40.2 - OS Command Injection via Patch Pipeline Input Embedding
CVSS 7.8
CVE-2026-24844
HIGH
melange 0.3.0-0.40.3 - OS Command Injection via Unsanitized Pipeline Substitution
CVSS 7.9
CVE-2026-21893
HIGH
NPM N8n < 1.120.3 - OS Command Injection
CVSS 7.2
CVE-2026-25053
CRITICAL
n8n < 1.123.10 and 2.0.0-2.5.0 - Authenticated OS Command Injection and Arbitrary File Read via Git Node
CVSS 9.9
CVE-2026-24887
HIGH
Claude Code < 2.0.72 - Command Injection via Find Command Bypass
CVSS 8.8
CVE-2026-22550
HIGH
WRC-X1500GS-B/WRC-X1500GSA-B - Command Injection
CVSS 8.8
CVE-2026-0383
HIGH
Brocade Fabric OS < 9.2.1c2 - Authenticated Information Disclosure via Insecure File Storage
CVSS 7.8
CVE-2026-24763
HIGH
OpenClaw < 2026.1.29 - Authenticated OS Command Injection via PATH Environment Variable
CVSS 8.8
CVE-2026-23515
CRITICAL
Signal K Server <1.5.0 - Command Injection
CVSS 9.9
CVE-2026-22229
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 - Authenticated OS Command Injection via VPN Client Configuration Import
CVSS 7.2
CVE-2026-22227
HIGH
TP-Link Archer BE230 < 1.2.4 - Authenticated OS Command Injection via Configuration Backup Restoration
CVSS 7.2
CVE-2026-22226
HIGH
TP-Link Archer BE230 < 1.2.4 - Authenticated OS Command Injection in VPN Server Configuration
CVSS 7.2
CVE-2026-22225
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 and AXE75 v1.0 < 1.5.3 - Authenticated OS Command Injection in VPN Connection Service
CVSS 7.2
CVE-2026-22224
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 - Authenticated OS Command Injection via Cloud Communication Interface
CVSS 7.2
CVE-2026-22223
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 - Authenticated OS Command Injection
CVSS 8.0
CVE-2026-22222
HIGH
TP-Link Archer BE230 < 1.2.4 - Authenticated OS Command Injection
CVSS 8.0
CVE-2026-22221
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 - Authenticated OS Command Injection in VPN Modules
CVSS 8.0
CVE-2026-0631
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 - Authenticated OS Command Injection in VPN Modules
CVSS 8.0
CVE-2026-0630
HIGH
TP-Link Archer BE230 v1.2 < 1.2.4 and AXE75 v1.0 < 1.5.3 - Authenticated OS Command Injection
CVSS 8.0
CVE-2026-24788
HIGH
RaspAP raspap-webgui < 3.3.6 - Authenticated OS Command Injection
CVSS 8.8
CVE-2026-25130
CRITICAL
CAI Framework <= 0.5.10 - Remote Code Execution via Argument Injection in find_file Tool
CVSS 9.6
CVE-2026-1723
CRITICAL
TOTOLINK X6000R -<9.4.0cu.1498_B20250826 - Code Injection
CVE-2026-0709
HIGH
Hikvision Wireless AP - Command Injection
CVSS 7.2
CVE-2026-22277
HIGH
Dell UnityVSA <5.4 - Code Injection
CVSS 7.8
Details
Vulnerabilities
5,964
Exploit Likelihood
High