CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,945 vulnerabilities with CWE-78
CVE-2026-44590 CRITICAL
Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml
CVSS 9.3
CVE-2026-45087 CRITICAL
Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
CVSS 10.0
CVE-2026-44346 HIGH
BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml
CVSS 8.8
CVE-2026-44345 HIGH
BentoML: Dockerfile command injection via docker.base_image
CVSS 8.8
CVE-2026-36045 HIGH
picoclaw <=v0.1.2 - OS Command Injection via ExecTool Component
CVSS 7.3
CVE-2026-36044 HIGH
@pensar/apex <= 0.0.58 - OS Command Injection via smart_enumerate Tool
CVSS 8.8
CVE-2026-40852 HIGH
MB connect line mbNET/mbNET.rokey - Command Injection via Malicious Configuration
CVSS 7.2
CVE-2026-8450 CRITICAL
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
CVSS 9.1
CVE-2026-9207 HIGH
Command Injection in Connect Allows Privilege Escalation on Windows Tanium Module Server
CVSS 8.8
CVE-2026-44444 CRITICAL
Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan
CVSS 9.1
CVE-2026-9560 HIGH
OpenVPN Connect < 3.8.1 - Privilege Defined With Unsafe Actions
CVSS 7.8
CVE-2026-48695 HIGH
FastNetMon Community Edition <= 1.2.9 - OS Command Injection via MikroTik Plugin Log Function
CVSS 8.1
CVE-2026-48694 HIGH
FastNetMon Community Edition <= 1.2.9 - Configuration Injection via Juniper Plugin IP_ATTACK Variable
CVSS 8.1
CVE-2026-46624 CRITICAL
Twenty: SQL Injection via the timeZone field
CVSS 9.9
CVE-2026-9565 MEDIUM
haojing8312 WorkClaw Blacklist bash.rs is_dangerous os command injection
CVSS 6.3
CVE-2026-44723 MEDIUM
Vowpal Wabbit: Shell injection via crafted PR title in python_checks.yml allows arbitrary command execution on CI runner
CVSS 5.0
CVE-2026-48687 CRITICAL
FastNetMon Community Edition <= 1.2.9 - OS Command Injection in Juniper Plugin via Unsanitized Log Message
CVSS 9.8
CVE-2026-4480 CRITICAL
Samba: samba: remote code execution in printing subsystem via unescaped job description
CVSS 9.0
CVE-2026-9543 CRITICAL
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection
CVSS 9.8
CVE-2026-9534 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os command injection
CVSS 6.3
CVE-2026-9533 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection
CVSS 6.3
CVE-2026-9532 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
CVSS 6.3
CVE-2026-9531 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os command injection
CVSS 6.3
CVE-2026-9515 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os command injection
CVSS 6.3
CVE-2026-9514 MEDIUM
Totolink CA750-PoE Setting cstecgi.cgi setNetworkDiag os command injection
CVSS 6.3
Details
Vulnerabilities 5,945
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits