CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,667 vulnerabilities with CWE-78
CVE-2026-5831 MEDIUM
Agions taskflow-ai terminal_execute handlers.ts os command injection
CVSS 6.3
CVE-2026-40032 HIGH
UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
CVSS 7.8
CVE-2026-40030 HIGH
parseusbs < 1.9 Command Injection via Volume Path Argument
CVSS 7.8
CVE-2026-40029 HIGH
parseusbs < 1.9 Command Injection via Crafted LNK Filename
CVSS 7.8
CVE-2026-5802 HIGH
idachev mcp-javadc HTTP os command injection
CVSS 7.3
CVE-2026-39862 HIGH
Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link
CVSS 8.8
CVE-2026-30818 HIGH
OS Command Injection Vulnerability in dnsmasq Module in TP-Link AX53
CVSS 8.0
CVE-2026-30815 HIGH
OS Command Injection Vulnerability in OpenVPN Module in TP-Link AX53
CVSS 8.0
CVE-2026-27806 HIGH
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
CVSS 7.8
CVE-2026-5208 HIGH
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold
CVSS 8.2
CVE-2026-5741 HIGH
suvarchal docker-mcp-server HTTP index.ts pull_image os command injection
CVSS 7.3
CVE-2026-39382 CRITICAL
dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output
CVE-2026-4631 CRITICAL
Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection
CVSS 9.8
CVE-2026-35585 HIGH
File Browser has a Command Injection via Hook Runner
CVSS 7.2
CVE-2026-35581 HIGH
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
CVSS 7.2
CVE-2026-35521 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
CVSS 8.8
CVE-2026-35520 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
CVSS 8.8
CVE-2026-35519 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
CVSS 8.8
CVE-2026-35518 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
CVSS 8.8
CVE-2026-35517 HIGH
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
CVSS 8.8
CVE-2026-35463 HIGH
pyLoad has Improper Neutralization of Special Elements used in an OS Command
CVSS 8.8
CVE-2026-5692 HIGH
Totolink A7100RU cstecgi.cgi setGameSpeedCfg os command injection
CVSS 7.3
CVE-2026-5691 HIGH
Totolink A7100RU cstecgi.cgi setFirewallType os command injection
CVSS 7.3
CVE-2026-5690 HIGH
Totolink A7100RU cstecgi.cgi setRemoteCfg os command injection
CVSS 7.3
CVE-2026-5689 HIGH
Totolink A7100RU cstecgi.cgi setNtpCfg os command injection
CVSS 7.3
Details
Vulnerabilities 5,667
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits