CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,666 vulnerabilities with CWE-78
CVE-2026-40527 HIGH
radare2 Command Injection via DWARF Parameter Names
CVSS 7.8
CVE-2026-33145 MEDIUM
xrdp: Authenticated RCE via unsanitized AlternateShell execution in xrdp-sesman
CVSS 6.3
CVE-2026-23500 CRITICAL
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
CVE-2026-6483 HIGH
Wavlink WL-WN530H4 internet.cgi snprintf os command injection
CVSS 7.2
CVE-2026-35074 MEDIUM
Dell PowerProtect Data Domain - Command Injection
CVSS 6.7
CVE-2026-35073 MEDIUM
Dell PowerProtect Data Domain < 8.7.0.1 or later - Command Injection
CVSS 6.7
CVE-2026-35072 MEDIUM
Dell PowerProtect Data Domain - Command Injection
CVSS 6.7
CVE-2026-21719 HIGH
CubeCart < prior to 6.6.0 - Command Injection
CVSS 7.2
CVE-2026-41113 HIGH
Sagredo Qmail < 2026.04.07 - Remote Code Execution
CVSS 8.1
CVE-2026-6349 CRITICAL
HGiga|iSherlock - OS Command Injection
CVSS 9.8
CVE-2026-41015 HIGH
radare2 - Command Injection
CVSS 7.4
CVE-2026-40261 HIGH
Composer has Command Injection via Malicious Perforce Reference
CVSS 8.8
CVE-2026-40176 HIGH
Composer is vulnerable to Command Injection via Malicious Perforce Repository
CVSS 7.8
CVE-2026-40499 HIGH
radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()
CVE-2026-33414 HIGH
PowerShell Command Injection in Podman HyperV Machine
CVSS 7.8
CVE-2026-35196 HIGH
Chamilo LMS has OS Command Injection via export_all_certificates action
CVSS 8.8
CVE-2026-24893 HIGH
openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Host Address Macro Expansion
CVSS 8.8
CVE-2026-39808 CRITICAL
Fortinet FortiSandbox < 4.4.8 - Command Injection
CVSS 9.8
CVE-2026-40288 CRITICAL
PraisonAI: Critical RCE via `type: job` workflow YAML
CVSS 9.8
CVE-2026-39420 MEDIUM
MaxKB: Sandbox escape via LD_PRELOAD bypass
CVSS 6.3
CVE-2026-39417 MEDIUM
MaxKB: RCE via MCP stdio command injection in workflow engine
CVSS 4.6
CVE-2026-6195 CRITICAL
Totolink A7100RU CGI cstecgi.cgi setPasswordCfg os command injection
CVSS 9.8
CVE-2026-28291 HIGH
simple-git has Command Execution via Option-Parsing Bypass
CVSS 8.1
CVE-2026-34188 HIGH
OS Command Injection in Event Response Execution
CVSS 7.2
CVE-2026-30809 HIGH
OS Command Injection in WebServerModuleDebug via Blacklist Bypass leads to Remote Code Execution
CVSS 8.8
Details
Vulnerabilities 5,666
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits