CWE-78
High likelihoodImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5,967 vulnerabilities with CWE-78
CVE-2025-54469
CRITICAL
NeuVector 5.3.0-5.3.4/5.4.0-5.4.6 OS Command Injection via CLUSTER_RPC_PORT/CLUSTER_LAN_PORT
CVSS 9.9
CVE-2025-11202
CRITICAL
win-cli-mcp-server - Command Injection
CVSS 9.8
CVE-2025-64140
HIGH
Jenkins Azure CLI Plugin < 0.9 - Authenticated OS Command Injection
CVSS 8.8
CVE-2025-62801
HIGH
fastmcp < 2.13.0 - OS Command Injection via server_name Field
CVSS 7.8
CVE-2025-34312
HIGH
IPFire < 2.29 - Authenticated OS Command Injection via URL Filter Blacklist BE_NAME Parameter
CVSS 8.8
CVE-2025-34311
HIGH
IPFire < 2.29 - Authenticated OS Command Injection via Proxy Report Parameters
CVSS 8.8
CVE-2025-1038
HIGH
Hitachi Energy TropOS 4th Gen 8.7.0.0-8.9.5.9 - Authenticated OS Command Injection via Diagnostics Tools Page
CVE-2025-1036
HIGH
Hitachi Energy TropOS 4th Gen 8.7.0.0-8.9.6.0 - Authenticated OS Command Injection via Logging Page
CVE-2025-12296
MEDIUM
D-Link DAP-2695 2.00RC13 - OS Command Injection in Firmware Update Handler
CVSS 4.7
CVE-2025-60803
CRITICAL
Antabot White-Jotter - Unauthenticated Remote Code Execution via /api/aaa;/../register
CVSS 9.8
CVE-2025-10680
HIGH
OpenVPN <2.7_beta1 - Command Injection
CVSS 8.8
CVE-2025-6978
HIGH
Arista Edge Threat Management - Arista Next Generation Firewall < 17.3.1 - OS Command Injection via Diagnostics Command
CVSS 7.2
CVE-2025-62713
HIGH
Kottster 3.2.0-3.3.1 - Unauthenticated Remote Code Execution in Development Mode
CVE-2025-8078
HIGH
Zyxel ZLD 4.32-5.40 - Authenticated OS Command Injection via CLI Argument
CVSS 7.2
CVE-2025-7850
HIGH
TP-Link Omada Gateways - Authenticated OS Command Injection
CVSS 7.2
CVE-2025-6542
CRITICAL
Product <Version - Command Injection
CVSS 9.8
CVE-2025-6541
HIGH
Product <Version> - Command Injection
CVSS 8.8
CVE-2025-47901
HIGH
Microchip Time Provider 4100 < 2.5 - OS Command Injection
CVSS 8.8
CVE-2025-47900
HIGH
Microchip Time Provider 4100 < 2.5 - OS Command Injection
CVSS 8.8
CVE-2025-11900
CRITICAL
HGiga iSherlock 4.5 and 5.5 - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2025-34514
HIGH
Ilevia EVE X1 Server Firmware <= 4.7.18.0.eden - Authenticated OS Command Injection via PHP Scripts
CVSS 8.8
CVE-2025-34513
CRITICAL
Ilevia EVE X1 Server Firmware <= 4.7.18.0.eden - Unauthenticated OS Command Injection in mbus_build_from_csv.php
CVSS 9.8
CVE-2025-60013
MEDIUM
F5OS-A 1.5.1-1.5.4 - Authenticated OS Command Injection via FIPS Module Initialization
CVSS 4.6
CVE-2025-53868
HIGH
F5 BIG-IP 15.1.0-15.1.10.8 - Authenticated Appliance Mode Restriction Bypass via SCP/SFTP Commands
CVSS 8.7
CVE-2025-59051
HIGH
FreePBX Endpoint Mgr <16.0.92, <17.0.6 - Command Injection
Details
Vulnerabilities
5,967
Exploit Likelihood
High