CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,945 vulnerabilities with CWE-78
CVE-2026-10219
HIGH
nextlevelbuilder GoClaw write_file Tool fsbridge.go FsBridge.WriteFile os command injection
CVSS 7.3
CVE-2026-10214
HIGH
zhayujie chatgpt-on-wechat Bash Tool bash.py _get_safety_warning os command injection
CVSS 7.3
CVE-2026-49366
HIGH
Jetbrains IntelliJ Idea < 2026.1.1 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 7.8
CVE-2026-45633
CRITICAL
Dokploy: Command Injection in /docker-container-logs Endpoint
CVSS 9.9
CVE-2026-45632
CRITICAL
Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution
CVSS 9.9
CVE-2026-45630
CRITICAL
Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement
CVSS 9.0
CVE-2026-45629
CRITICAL
Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint
CVSS 9.9
CVE-2026-45626
MEDIUM
Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter
CVSS 6.3
CVE-2026-45662
HIGH
Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)
CVSS 8.8
CVE-2026-45578
HIGH
WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
CVSS 8.8
CVE-2026-9645
CRITICAL
ScadaBR Authenticated Remote Code Execution
CVSS 9.9
CVE-2026-44466
HIGH
Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions
CVSS 8.6
CVE-2026-44465
HIGH
Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config
CVSS 8.6
CVE-2026-44463
HIGH
Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions
CVSS 8.6
CVE-2026-44461
HIGH
Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)
CVSS 8.6
CVE-2026-4408
CRITICAL
Samba: remote code execution in samr
CVSS 9.0
CVE-2026-44604
HIGH
Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command
CVSS 7.0
CVE-2026-45322
HIGH
OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON
CVSS 7.8
CVE-2026-9208
HIGH
Tanium addressed an unauthorized code execution vulnerability in Connect.
CVSS 8.8
CVE-2026-45152
HIGH
uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution
CVSS 7.8
CVE-2026-45136
HIGH
claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh
CVSS 7.8
CVE-2026-44713
HIGH
pam_usb: Command injection via $TMUX environment variable leads to RCE as root
CVSS 8.8
CVE-2026-44712
HIGH
pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
CVSS 8.2
CVE-2026-44709
HIGH
pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
CVSS 7.8
CVE-2026-44724
HIGH
systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
CVSS 7.8
Details
Vulnerabilities
5,945
Exploit Likelihood
High