CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,967 vulnerabilities with CWE-78
CVE-2025-2773 HIGH
BEC Technologies Router Firmware - Remote Code Execution via sys ping Command Injection
CVSS 7.2
CVE-2025-28039 CRITICAL
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 - Unauthenticated Remote Code Execution via setUpgradeFW FileName Parameter
CVSS 9.8
CVE-2025-28038 CRITICAL
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 - Unauthenticated Remote Code Execution via setWebWlanIdx webWlanIdx Parameter
CVSS 9.8
CVE-2025-28036 CRITICAL
TOTOLINK A950RG V4.1.2cu.5161_B20200903 - Unauthenticated Remote Code Execution via NoticeUrl Parameter
CVSS 9.8
CVE-2025-28035 CRITICAL
TOTOLINK A830R V4.1.2cu.5182_B20201102 - Unauthenticated Remote Code Execution via setNoticeCfg NoticeUrl Parameter
CVSS 9.8
CVE-2025-28037 CRITICAL
TOTOLINK A810R V4.1.2cu.5182_B20201026 & A950RG V4.1.2cu.5161_B20200903 - RCE via setDiagnosisCfg ipDomain
CVSS 9.8
CVE-2025-28034 CRITICAL
TOTOLINK A800R/A810R/A830R/A950RG/A3000RU/A3100R - RCE via NTPSyncWithHost hostTime
CVSS 9.8
CVE-2025-43920 MEDIUM
GNU Mailman 2.1.1-2.1.38 - Unauthenticated OS Command Injection via Email Subject Line
CVSS 5.4
CVE-2025-3816 MEDIUM
westboy CicadasCMS 2.0 - OS Command Injection in Scheduled Task Handler
CVSS 4.7
CVE-2025-29043 CRITICAL
D-Link DIR-823x Firmware - OS Command Injection via Function 0x417234
CVSS 9.8
CVE-2025-29042 CRITICAL
D-Link DIR-823x Firmware - OS Command Injection via macaddr Parameter
CVSS 9.8
CVE-2025-29041 CRITICAL
D-Link DIR-823x 240802 - OS Command Injection via target_addr Parameter
CVSS 9.8
CVE-2025-29040 CRITICAL
D-Link DIR-823x Firmware 240802 - OS Command Injection via target_addr Parameter
CVSS 9.8
CVE-2025-3729 HIGH
Web-based Pharmacy Product Management System 1.0 - OS Command Injection via Database Backup Handler
CVSS 7.3
CVE-2025-32778 CRITICAL
Lissy93/web-check < 2.0.1 - OS Command Injection via Screenshot API URL Parameter
CVE-2025-28137 CRITICAL
TOTOLINK A810R V4.1.2cu.5182_B20201026 - Unauthenticated Remote Code Execution via NoticeUrl Parameter
CVSS 9.8
CVE-2025-0119 MEDIUM
Palo Alto Networks Cortex XDR - Command Injection
CVE-2025-32107 HIGH
Deco BE65 Pro < V1_1.1.2 - Command Injection
CVSS 8.0
CVE-2025-0127 HIGH
Palo Alto Networks PAN-OS - Privilege Escalation
CVE-2025-27797 CRITICAL
Wi-Fi AP UNIT AC-WPS-11ac - Command Injection
CVSS 9.8
CVE-2025-25053 HIGH
Wi-Fi AP UNIT AC-WPS-11ac - Command Injection
CVSS 8.8
CVE-2025-30289 HIGH
ColdFusion <2023.12, 2021.18, 2025.0 - Code Injection
CVSS 8.2
CVE-2025-30286 HIGH
ColdFusion <2023.12, 2021.18, 2025.0 - Code Injection
CVSS 8.4
CVE-2025-27079 MEDIUM
HPE AOS-10 AP 8.10.0.0-8.10.0.14, 8.12.0.0-8.12.0.2, 10.4.0.0-10.4.1.4, 10.7.0.0 - Authenticated RCE via CLI
CVSS 6.0
CVE-2025-27078 MEDIUM
HPE AOS-10 AP 8.10.0.0-8.10.0.14, 8.12.0.0-8.12.0.2, 10.4.0.0-10.4.1.4, 10.7.0.0 - OS Command Injection via CLI
CVSS 6.5
Details
Vulnerabilities 5,967
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits