CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,667 vulnerabilities with CWE-78
CVE-2026-5688 HIGH
Totolink A7100RU cstecgi.cgi setDdnsCfg os command injection
CVSS 7.3
CVE-2026-5709 HIGH
AWS Research and Engineering Studio (RES) FileBrowser Command Injection
CVSS 8.8
CVE-2026-5707 HIGH
Command Injection via Virtual Desktop Session Name in AWS Research and Engineering Studio (RES)
CVSS 8.8
CVE-2026-5679 MEDIUM
Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection
CVSS 5.5
CVE-2026-35022 CRITICAL
Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper
CVSS 9.8
CVE-2026-35021 HIGH
Anthropic Claude Code & Agent SDK OS Command Injection via promptEditor.ts
CVSS 7.8
CVE-2026-35020 HIGH
Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable
CVSS 8.4
CVE-2026-5678 HIGH
Totolink A7100RU cstecgi.cgi setScheduleCfg os command injection
CVSS 7.3
CVE-2026-5677 HIGH
Totolink A7100RU cstecgi.cgi CsteSystem os command injection
CVSS 7.3
CVE-2026-35043 HIGH
BentoML: command injection in cloud deployment setup script (deployment.py)
CVSS 7.8
CVE-2026-34977 CRITICAL
Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command
CVSS 9.8
CVE-2026-34982 HIGH
Vim modeline bypass via various options affects Vim < 9.2.0276
CVSS 8.2
CVE-2026-34940 HIGH
KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
CVSS 8.7
CVE-2026-5663 HIGH
OFFIS DCMTK storescp storescp.cc executeOnEndOfStudy os command injection
CVSS 7.3
CVE-2026-31067 MEDIUM
UTT Aggressive 520W v3v1.7.7-180627 - RCE
CVSS 6.8
CVE-2026-5621 MEDIUM
ChrisChinchilla Vale-MCP HTTP index.ts os command injection
CVSS 5.3
CVE-2026-5619 MEDIUM
Braffolk mcp-summarization-functions summarize_command mcp-server.ts os command injection
CVSS 5.3
CVE-2026-5603 MEDIUM
elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection
CVSS 5.3
CVE-2026-5602 MEDIUM
Nor2-io heim-mcp new_heim_application tools.ts registerTools os command injection
CVSS 5.3
CVE-2026-5547 MEDIUM
Tenda AC10 httpd formAddMacfilterRule os command injection
CVSS 6.3
CVE-2026-5532 MEDIUM
ScrapeGraphAI scrapegraph-ai GenerateCodeNode generate_code_node.py create_sandbox_and_execute os command injection
CVSS 6.3
CVE-2026-5528 MEDIUM
MoussaabBadla code-screenshot-mcp HTTP os command injection
CVSS 6.3
CVE-2026-34955 HIGH
PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
CVSS 8.8
CVE-2026-34779 MEDIUM
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
CVSS 6.5
CVE-2026-34937 HIGH
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
CVSS 7.8
Details
Vulnerabilities 5,667
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits