CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,967 vulnerabilities with CWE-78
CVE-2025-57516 HIGH
PublicCMS V5.202506.a and V5.202506.b - OS Command Injection via BackupDB.bat
CVSS 8.2
CVE-2025-11141 MEDIUM
Ruijie NBR2100G-E < 20250919 - OS Command Injection via city Parameter
CVSS 4.7
CVE-2025-11138 MEDIUM
mirweiye wenkucms <3.4 - Code Injection
CVSS 6.3
CVE-2025-59844 HIGH
SonarSource/sonarqube-scan-action 4.0.0-5.9.9 - OS Command Injection via args Parameter on Windows Runners
CVE-2025-35027 HIGH
Unitree G1, Go2, H1, B2 Firmware - OS Command Injection via BLE WiFi Configuration
CVSS 7.3
CVE-2025-60017 HIGH
Unitree Go2-G1-H1-B2 - Command Injection
CVSS 8.2
CVE-2025-11005 CRITICAL
TOTOLINK X6000R -<9.4.0cu.1458_B20250708 - Code Injection
CVSS 9.8
CVE-2025-34227 HIGH
Nagios XI < 2026R1 - Authenticated OS Command Injection via Database Wizard Arguments
CVSS 8.8
CVE-2025-43943 MEDIUM
Dell Cloud Disaster Recovery < 19.20 - Authenticated OS Command Injection
CVSS 6.7
CVE-2025-27262 HIGH
Ericsson Indoor Connect 8855 - Privilege Escalation
CVSS 7.8
CVE-2025-59834 CRITICAL
srmorete adb_mcp_server < 0.1.0 - OS Command Injection in MCP Server Tool Implementation
CVSS 9.8
CVE-2025-59831 HIGH
git-commiters < 0.1.2 - OS Command Injection via Unsanitized Options
CVSS 8.8
CVE-2025-52906 CRITICAL
TOTOLINK X6000R < 9.4.0cu.1360_b20241207 - OS Command Injection
CVSS 9.8
CVE-2025-56819 CRITICAL
Datart 1.0.0-rc.3 - Remote Code Execution via INIT Connection Parameter
CVSS 9.8
CVE-2025-57636 MEDIUM
D-Link DI-7100G Firmware - OS Command Injection via HTTP Parameter
CVSS 6.5
CVE-2025-59534 HIGH
CryptoLib < 1.4.2 - OS Command Injection via initialize_kerberos_keytab_file_login()
CVSS 7.3
CVE-2025-57639 MEDIUM
Tenda AC9 1.0 - OS Command Injection via usb.samba.guest.user Parameter
CVSS 6.5
CVE-2025-9588 CRITICAL
Iron Mountain EnVision < 250563 - OS Command Injection
CVSS 10.0
CVE-2025-9494 HIGH
Viessmann Vitogate 300 < 3.1.0.0 - Authenticated OS Command Injection via vitogate.cgi form Parameter
CVE-2025-10775 MEDIUM
Wavlink WL-NU516U1 240425 - OS Command Injection via login.cgi ipaddr Parameter
CVSS 4.7
CVE-2025-10774 MEDIUM
Ruijie 6000-E10 <2.4.3.6-20171117 - Code Injection
CVSS 4.7
CVE-2025-10767 MEDIUM
CosmodiumCS OnlyRAT <3.2 - Code Injection
CVSS 4.5
CVE-2025-10568 CRITICAL
HyperX NGENUITY < 5.32.0.0 - Remote Code Execution
CVSS 9.8
CVE-2025-48703 CRITICAL KEV
Control Web Panel < 0.9.8.1205 filemanager - Unauthenticated Command Execution
CVSS 9.0
CVE-2025-36143 MEDIUM
IBM watsonx.data 2.2 - Authenticated OS Command Injection
CVSS 4.7
Details
Vulnerabilities 5,967
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits