CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,967 vulnerabilities with CWE-78
CVE-2025-60965 CRITICAL
EndRun Technologies Sonoma D12 - Command Injection
CVSS 9.1
CVE-2025-60964 CRITICAL
EndRun Technologies Sonoma D12 - Code Injection
CVSS 9.1
CVE-2025-60963 HIGH
EndRun Technologies Sonoma D12 - Code Injection
CVSS 8.2
CVE-2025-60962 HIGH
EndRun Technologies Sonoma D12 - Code Injection
CVSS 8.2
CVE-2025-60960 HIGH
EndRun Technologies Sonoma D12 - Code Injection
CVSS 8.2
CVE-2025-60959 HIGH
EndRun Technologies Sonoma D12 - Code Injection
CVSS 8.2
CVE-2025-60957 CRITICAL
EndRun Technologies Sonoma D12 - Code Injection
CVSS 9.9
CVE-2025-36354 HIGH
IBM Security Verify Access 10.0.0.0-10.0.9.0 and 11.0.0.0-11.0.1.0 - Unauthenticated OS Command Injection
CVSS 7.3
CVE-2025-11285 MEDIUM
samanhappy MCPHub <0.9.10 - Command Injection
CVSS 6.3
CVE-2025-47212 HIGH
QNAP QTS and QuTS hero - Authenticated OS Command Injection
CVSS 7.2
CVE-2025-61591 HIGH
Cursor < 1.7 - OS Command Injection via Malicious MCP Server OAuth Response
CVSS 8.8
CVE-2025-60787 HIGH
MotionEye <= 0.43.1b4 - Authenticated Configuration Command Injection
CVSS 7.2
CVE-2025-59741 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in LOGINERRORFRM.ASP
CVSS 9.8
CVE-2025-59740 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in LOGINFRM_CAT.ASP
CVSS 9.8
CVE-2025-59739 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in LOGINFRM_original.ASP
CVSS 9.8
CVE-2025-59738 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in /clt/LOGINFRM_BET.ASP
CVSS 9.8
CVE-2025-59737 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in /clt/LOGINFRM_LXA.ASP
CVSS 9.8
CVE-2025-59736 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in /clt/LOGINFRM_DJO.ASP
CVSS 9.8
CVE-2025-59735 CRITICAL
AndSoft e-TMS 25.03 - OS Command Injection via 'm' Parameter in /clt/LOGINFRM.ASP
CVSS 9.8
CVE-2025-61045 CRITICAL
TOTOLINK X18 V9.1.0cu.2053_B20230309 - Command Injection
CVSS 9.8
CVE-2025-10659 CRITICAL
Telenium Online Web Application - Unauthenticated Remote Code Execution via PHP Endpoint
CVSS 9.8
CVE-2025-9762 CRITICAL
Post By Email < 1.0.4b - Unauthenticated Arbitrary File Upload via save_attachments Function
CVSS 9.8
CVE-2025-11148 CRITICAL
check-branches - OS Command Injection via Unsanitized Branch Name
CVSS 9.8
CVE-2025-36245 HIGH
IBM InfoSphere Information Server 11.7.0.0-11.7.1.6 - Authenticated OS Command Injection
CVSS 8.8
CVE-2025-30247 CRITICAL
Western Digital My Cloud <5.31.108 - Command Injection
Details
Vulnerabilities 5,967
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits