CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,969 vulnerabilities with CWE-78
CVE-2024-51151 CRITICAL
D-Link DI-8200 16.07.26A1 - Remote Code Execution via msp_info_htm flag and cmd Parameters
CVSS 9.8
CVE-2024-48895 HIGH
Rakuten Turbo 5G <V1.3.18 - Command Injection
CVSS 8.8
CVE-2024-51503 HIGH
Trend Micro Deep Security 20 Agent - Privilege Escalation and Remote Code Execution via Manual Scan Command Injection
CVSS 8.0
CVE-2024-11003 HIGH
needrestart < 3.8 - Local OS Command Injection via Modules::ScanDeps
CVSS 7.8
CVE-2024-10224 MEDIUM
Modules::ScanDeps < 1.36 - OS Command Injection via Pesky Pipe or eval()
CVSS 5.3
CVE-2024-52587 HIGH
step-security/harden-runner < 2.10.2 - OS Command Injection via Environment Variables
CVSS 8.8
CVE-2024-9474 HIGH KEV
PAN-OS >=10.1.0 <10.1.14 - Authenticated Privilege Escalation to Root via Management Interface
CVSS 7.2
CVE-2024-44759 HIGH
NUS-M9 ERP Mgmt <3.0.0 - Info Disclosure
CVSS 7.5
CVE-2024-24431 HIGH
Open5GS 2.7.0 - Denial of Service via Zero-Length EMM Message in NAS Packet
CVSS 7.5
CVE-2024-24426 HIGH
OpenAirInterface Magma <1.8.0/OAI EPC Federation <1.2.0 - DoS
CVSS 7.5
CVE-2024-10443 CRITICAL
Synology Photos < 1.6.2-0720 and BeePhotos < 1.1.0-10053 - OS Command Injection in Task Manager
CVSS 9.8
CVE-2024-11120 CRITICAL KEV
GeoVision EOL Devices - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2024-4343 CRITICAL
privategpt < 0.6.0 - Remote Code Execution via SagemakerLLM complete() Method
CVSS 9.8
CVE-2024-50853 HIGH
Tendacn G3 Firmware - Command Injection
CVSS 8.8
CVE-2024-50852 HIGH
Tendacn G3 Firmware - Command Injection
CVSS 8.8
CVE-2024-32118 MEDIUM
FortiManager 7.2.0-7.4.2 and FortiAnalyzer 7.2.0-7.4.2 - Authenticated OS Command Injection via CLI Requests
CVSS 6.7
CVE-2024-52010 HIGH
Zoraxy 2.6.1-3.1.3 - Authenticated OS Command Injection via Web SSH Username Parameter
CVE-2024-11006 CRITICAL
Ivanti Connect Secure < 22.7R2.1 and Policy Secure < 22.7R1.1 - Authenticated Remote Code Execution
CVSS 9.1
CVE-2024-11005 CRITICAL
Ivanti Connect Secure < 22.7R2.1 and Policy Secure < 22.7R1.1 - Authenticated Remote Code Execution
CVSS 9.1
CVE-2024-11007 CRITICAL
Ivanti Connect Secure < 22.7R2.1 and Policy Secure < 22.7R1.1 - Authenticated Remote Code Execution
CVSS 9.1
CVE-2024-46890 CRITICAL
SINEC INS < V1.0 SP2 Update 3 - Authenticated Remote Code Execution via Web API Endpoint
CVSS 9.1
CVE-2024-45827 HIGH
Mesh Wi-Fi router RP562B <v1.0.2 - Command Injection
CVSS 8.0
CVE-2024-8881 MEDIUM
Zyxel GS1900 Series Firmware < 2.90 - Authenticated OS Command Injection via CGI Program
CVSS 6.8
CVE-2024-36061 CRITICAL
EnGenius EWS356-FIT <1.1.30 - Command Injection
CVSS 9.8
CVE-2024-11066 HIGH
D-Link DSL6740C Firmware - Authenticated OS Command Injection via Web Interface
CVSS 7.2
Details
Vulnerabilities 5,969
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits