CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,946 vulnerabilities with CWE-78
CVE-2026-45035 HIGH
Tabby: RCE via `tabby://run` URL Scheme
CVSS 8.8
CVE-2026-46483 LOW
Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag
CVSS 3.6
CVE-2026-41553 CRITICAL
Remote Code Execution in PDF Export Module
CVSS 10.0
CVE-2026-8654 HIGH
Delphix Continuous Data Ibm Db2 Connector - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-45369 HIGH
python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
CVSS 8.3
CVE-2026-44666 CRITICAL
HRConvert2: Missing Sanitization enables Unauthenticated Remote Command Execution
CVE-2026-26191 CRITICAL
Fleet vulnerable to OS command injection in software packages
CVSS 9.8
CVE-2026-41315 CRITICAL
mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 9.8
CVE-2026-42589 CRITICAL
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection
CVSS 9.8
CVE-2026-8500 CRITICAL
Perl Web::Passwd <= 0.03 - Command Injection Remote Code Execution
CVSS 9.8
CVE-2026-44194 CRITICAL
OPNsense: RCE on user managment
CVSS 9.1
CVE-2026-0261 MEDIUM
PAN-OS: Authenticated Admin Command Injection Vulnerability
CVE-2026-6281 HIGH
Lenovo Personal Cloud T2s - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 8.8
CVE-2026-42924 HIGH
F5 BIG-IP 16.1.0-21.1.0 - Authenticated Privilege Escalation via SNMP Configuration Object
CVSS 8.7
CVE-2026-42290 HIGH
protobufjs-cli: OS Command Injection
CVSS 7.8
CVE-2026-34176 HIGH
F5 BIG-IP 16.1.0-21.1.0 - Authenticated Remote Command Injection via iControl REST Endpoint
CVSS 8.7
CVE-2026-42062 CRITICAL
Elecom Co.,ltd. WRC-BE72XSD-B - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 9.8
CVE-2026-35506 HIGH
Elecom Co.,ltd. WRC-BE72XSD-B - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS 7.2
CVE-2026-43685 HIGH
Claris FileMaker Cloud < 2.22.0.5 - Authenticated Remote Code Execution via External ODBC Data Source Connection Test
CVSS 7.2
CVE-2026-44258 CRITICAL
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution
CVE-2026-23821 HIGH
HPE ArubaOS AOS-10 CLI - Authenticated Command Injection
CVSS 7.2
CVE-2026-23820 HIGH
HPE ArubaOS AOS-8 Instant and AOS-10 CLI - Authenticated Command Injection
CVSS 7.2
CVE-2026-41613 HIGH
Visual Studio Code Elevation of Privilege Vulnerability
CVSS 8.8
CVE-2026-43991 HIGH
JunoClaw: plugin-shell shell-injection bypass via substring blocklist
CVSS 8.4
CVE-2026-43990 HIGH
JunoClaw: plugin-shell shell-metacharacter injection via shell wrapper
CVSS 8.4
Details
Vulnerabilities 5,946
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits