CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,967 vulnerabilities with CWE-78
CVE-2025-44882 CRITICAL
Wavlink WL-WN579A3 v1.0 - OS Command Injection via firewall.cgi
CVSS 9.8
CVE-2025-44880 CRITICAL
Wavlink WL-WN579A3 v1.0 - OS Command Injection via adm.cgi
CVSS 9.8
CVE-2025-41225 HIGH
VMware vCenter Server 7.0-7.0 U3v, 8.0-8.0 U3e - Authenticated OS Command Injection via Alarm Script Action
CVSS 8.8
CVE-2025-32002 CRITICAL
I-O DATA HDL-T Series <1.21 - Command Injection
CVSS 9.8
CVE-2025-47782 HIGH
motioneye 0.43.1b1-0.43.1b3 - Authenticated OS Command Injection via Camera Device Path
CVE-2025-24022 HIGH
iTop < 2.7.12 - Remote Code Execution via Portal Frontend
CVSS 8.5
CVE-2025-43562 CRITICAL
Adobe ColdFusion <= 2025.1, <= 2023.13, <= 2021.19 - Authenticated OS Command Injection
CVSS 9.1
CVE-2025-45858 CRITICAL
TOTOLINK A3002R v4.0.0-B20230531.1404 - OS Command Injection via FUN_00459fdc Function
CVSS 9.8
CVE-2025-40582 HIGH
SCALANCE LPE9403 Firmware - OS Command Injection via Configuration Parameter
CVSS 7.8
CVE-2025-26389 CRITICAL
Siemens OZW672 and OZW772 Firmware < 8.0 - Unauthenticated Remote Code Execution via exportDiagramPage Endpoint
CVSS 10.0
CVE-2025-47203 MEDIUM
Dropbear SSH <2025.88 - Command Injection
CVSS 4.5
CVE-2025-32821 HIGH
SonicWall SMA 100/200/210/400/410/500v Firmware < 10.2.1.15-81sv - Authenticated OS Command Injection via File Upload
CVSS 7.2
CVE-2025-20213 MEDIUM
Cisco Catalyst SD-WAN Manager - Privilege Escalation
CVSS 5.5
CVE-2025-20194 MEDIUM
Cisco IOS XE - Authenticated OS Command Injection via Web Management Interface
CVSS 5.4
CVE-2025-20193 MEDIUM
Cisco IOS XE - Authenticated File Read via Web Management Interface Injection
CVSS 6.5
CVE-2025-20186 HIGH
Cisco IOS XE - Authenticated OS Command Injection via Web-Based Management Interface
CVSS 8.8
CVE-2025-45491 CRITICAL
Linksys E5600 v1.1.0.26 - OS Command Injection via DynDNS Username Parameter
CVSS 9.8
CVE-2025-45042 CRITICAL
Tenda AC9 v15.03.05.14 - OS Command Injection via Telnet Function
CVSS 9.8
CVE-2025-2605 CRITICAL
Honeywell MB-Secure Firmware 11.04-12.52 and MB-Secure PRO Firmware 01.06-03.08 - OS Command Injection
CVSS 9.9
CVE-2025-24351 HIGH
Bosch Rexroth ctrlX OS 1.20.0-1.20.6 & 2.6.0-2.6.7 Authenticated RCE via Remote Logging
CVSS 8.8
CVE-2025-4032 MEDIUM
inclusionai aworld - OS Command Injection in shell_tool.py
CVSS 5.0
CVE-2025-46272 CRITICAL
WGS-80HPT-V2 & WGS-4215-8T2S - Command Injection
CVSS 9.1
CVE-2025-46271 CRITICAL
Planet Technology UNI-NMS-Lite < 1.0b211018 - Unauthenticated OS Command Injection
CVSS 9.1
CVE-2025-43858 CRITICAL
YoutubeDLSharp 1.0.0-beta4-1.1.1 - Command Injection via Windows Encoding Workaround
CVSS 9.2
CVE-2025-1976 MEDIUM KEV
Brocade Fabric OS <9.1.1d6 - Privilege Escalation
CVSS 6.7
Details
Vulnerabilities 5,967
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits