CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,967 vulnerabilities with CWE-78
CVE-2025-53679
HIGH
Fortinet FortiSandbox <5.0.2 - Command Injection
CVSS 7.2
CVE-2025-14204
MEDIUM
TykoDev cherry-studio-TykoFork 0.1 - Code Injection
CVSS 6.3
CVE-2025-66644
HIGH
KEV
Array Networks ArrayOS AG <9.4.5.9 - Command Injection
CVSS 7.2
CVE-2025-14094
MEDIUM
Edimax BR-6478AC V3 1.0.15 - OS Command Injection via sysCmd Argument
CVSS 4.7
CVE-2025-14093
MEDIUM
Edimax BR-6478AC V3 1.0.15 - OS Command Injection via Traceroute Host Parameter
CVSS 4.7
CVE-2025-14092
MEDIUM
Edimax BR-6478AC V3 1.0.15 - OS Command Injection via host Argument in formDebugDiagnosticRun
CVSS 4.7
CVE-2025-66576
CRITICAL
Remote Keyboard Desktop 1.0.1 - Code Injection
CVSS 9.8
CVE-2025-66572
MEDIUM
Loaded Commerce 6.6 - Unauthenticated Remote Code Execution via Search Parameter
CVE-2025-29269
CRITICAL
ALLNET ALL-RUT22GW v3.3.8 - OS Command Injection via popen.cgi Command Parameter
CVSS 9.8
CVE-2025-66208
CRITICAL
Collabora Online <25.04.702 - OS Command Injection
CVSS 9.8
CVE-2025-34319
CRITICAL
TOTOLINK N300RT <V3.4.0-B20250430 - Command Injection
CVE-2025-12744
HIGH
Red Hat ABRT - Command Injection via Mount Information
CVSS 8.8
CVE-2025-11787
HIGH
Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 - OS Command Injection via GetDNS(), CheckPing(), and TraceRoute() Functions
CVSS 8.8
CVE-2025-66401
CRITICAL
MCP Watch <0.1.2 - Command Injection
CVSS 9.8
CVE-2025-35028
CRITICAL
HexStrike AI MCP - Command Injection
CVSS 9.1
CVE-2025-8890
CRITICAL
SDMC NE6037 <7.1.12.2.44 - Command Injection
CVE-2025-65202
HIGH
TRENDnet TEW-657BRM 1.00.1 - Authenticated OS Command Injection via setup.cgi Parameters
CVSS 8.0
CVE-2025-64128
CRITICAL
Zenitel TCIV-3+ < 9.3.3.0 - Unauthenticated OS Command Injection
CVSS 10.0
CVE-2025-64127
CRITICAL
Zenitel TCIV-3+ < 9.3.3.0 - Unauthenticated OS Command Injection
CVSS 10.0
CVE-2025-64126
CRITICAL
Zenitel TCIV-3+ < 9.3.3.0 - Unauthenticated OS Command Injection via IP Address Parameter
CVSS 10.0
CVE-2025-62354
CRITICAL
Cursor 1.3.4-2.0 - OS Command Injection
CVSS 9.8
CVE-2025-66261
CRITICAL
DB Electronica Mozart FM Transmitter < 1.0 - Unauthenticated Remote Code Execution
CVSS 9.8
CVE-2025-66253
CRITICAL
DB Electronica Telecomunicazioni Mozart FM Transmitter - Unauthenticated OS Command Injection via start_upgrade.php
CVSS 9.8
CVE-2025-59370
HIGH
ASUS Router 3.0.0.4_386 3.0.0.4_388 3.0.0.6_102 - Authenticated OS Command Injection in bwdpi
CVE-2025-59366
CRITICAL
ASUS Router - Authentication Bypass via Samba Functionality
Details
Vulnerabilities
5,967
Exploit Likelihood
High