CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,967 vulnerabilities with CWE-78
CVE-2025-66398 CRITICAL
Signal K Server < 2.19.0 - Unauthenticated Remote Code Execution via Backup Validation Endpoint
CVSS 9.6
CVE-2025-68700 HIGH
RAGFlow <0.23.0 - Command Injection
CVSS 8.8
CVE-2025-15389 HIGH
QNO Technology VPN Firewall - Authenticated OS Command Injection
CVSS 8.8
CVE-2025-15388 HIGH
QNO Technology VPN Firewall - Authenticated OS Command Injection
CVSS 8.8
CVE-2025-15254 MEDIUM
Tenda W6-S 1.0.0.4(510) - OS Command Injection via TendaAte Function
CVSS 6.3
CVE-2025-66203 CRITICAL
StreamVault < 251126 - Authenticated Remote Code Execution via yt-dlp Argument Injection
CVSS 9.9
CVE-2025-68922 HIGH
OpenOps < 0.6.11 - Remote Code Execution via Terraform Block
CVSS 7.4
CVE-2025-43876 HIGH
Under certain circumstances - Privilege Escalation
CVE-2025-43875 HIGH
Under certain circumstances - Privilege Escalation
CVE-2025-66213 HIGH
Coolify <4.0.0-beta.451 - Command Injection
CVSS 8.8
CVE-2025-66212 HIGH
Coolify <4.0.0-beta.451 - Command Injection
CVSS 8.8
CVE-2025-66211 HIGH
Coolify <4.0.0-beta.451 - Command Injection
CVSS 8.8
CVE-2025-66210 HIGH
Coolify <4.0.0-beta.451 - Command Injection
CVSS 8.8
CVE-2025-66209 CRITICAL
Coolify <4.0.0-beta.451 - Command Injection
CVSS 9.9
CVE-2025-14500 CRITICAL
IceWarp 14.2.0.5 - Unauthenticated Remote Code Execution via X-File-Operation Header
CVSS 9.8
CVE-2025-13700 HIGH
DreamFactory - Authenticated Remote Code Execution via saveZipFile Method
CVSS 7.2
CVE-2025-11774 HIGH
Mitsubishi Electric GENESIS64 <10.97.2 CFR3 - Command Injection
CVSS 8.2
CVE-2025-14737 HIGH
TP-Link TL-WA850RE Firmware < 160527 - Authenticated OS Command Injection
CVSS 8.0
CVE-2025-65008 CRITICAL
WODESYS WD-R608U WDR28081123OV1.01 - OS Command Injection via adm.cgi langGet Parameter
CVE-2025-68459 HIGH
Ruijie Networks AP180 Series < AP_RGOS 11.9(4)B1P8 - Authenticated OS Command Injection
CVSS 7.2
CVE-2025-68109 CRITICAL
ChurchCRM < 6.5.3 - Remote Code Execution via Database Restore File Upload
CVSS 9.1
CVE-2025-67172 HIGH
RiteCMS v3.1.0 - Authenticated Remote Code Execution via parse_special_tags()
CVSS 7.2
CVE-2025-67164 CRITICAL
Pagekit 1.0.18 - Authenticated Arbitrary File Upload and Remote Code Execution via /storage/poc.php
CVSS 9.9
CVE-2025-43873 HIGH
Firmware <version> - Privilege Escalation
CVE-2025-68154 HIGH
systeminformation < 5.27.14 - OS Command Injection via fsSize() Drive Parameter
CVSS 8.1
Details
Vulnerabilities 5,967
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits