CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,973 vulnerabilities with CWE-78
CVE-2024-38471 MEDIUM
TP-LINK Archer AX3000, AXE75, AX5400, and Air R5 - Authenticated OS Command Injection via Backup File Restore
CVSS 6.8
CVE-2024-32937 HIGH
Grandstream GXP2135 Firmware 1.0.9.129, 1.0.11.74, 1.0.11.79 - OS Command Injection via CWMP SelfDefinedTimeZone
CVSS 8.1
CVE-2024-5672 HIGH
Helmholz REX 100 and Red Lion Europe mbNET.mini <= 2.2.11 - Command Injection
CVSS 7.2
CVE-2024-20399 MEDIUM KEV
Cisco NX-OS Software - Command Injection
CVSS 6.0
CVE-2024-39351 HIGH
Synology BC500 and TC500 Firmware < 1.0.7-0298 - Authenticated OS Command Injection via NTP Configuration
CVSS 7.2
CVE-2024-37140 HIGH
Dell PowerProtect DD < 8.0, LTS < 7.13.1.0, LTS < 7.10.1.30, LTS < 7.7.5.40 - Authenticated OS Command Injection
CVSS 8.8
CVE-2024-5181 CRITICAL
mudler/localai <2.14.0 - Command Injection
CVSS 9.8
CVE-2024-4884 CRITICAL
WhatsUp Gold < 23.1.3 - Unauthenticated Remote Code Execution via CommunityController
CVSS 9.8
CVE-2024-4883 CRITICAL
Progress WhatsUp Gold < 23.1.3 - Unauthenticated Remote Code Execution via NmApi.exe
CVSS 9.8
CVE-2024-37678 MEDIUM
Finesoft < 8.0 - Remote Code Execution via Crafted Script
CVSS 5.3
CVE-2024-4748 HIGH
j11g/cruddiy < 202312.1 - OS Command Injection via Crafted POST Request
CVSS 8.8
CVE-2024-37091 CRITICAL
Consulting Elementor Widgets < 1.3.1 and Masterstudy Elementor Widgets < 1.2.2 - OS Command Injection
CVSS 9.9
CVE-2024-3121 LOW
lollms 5.9.0 - Remote Code Execution via create_conda_env Function
CVSS 3.3
CVE-2024-37626 HIGH
TOTOLINK A6000R V1.0.1-B20201211.2000 - OS Command Injection via iface Parameter in vif_enable Function
CVSS 8.8
CVE-2024-6187 MEDIUM
Ruijie RG-UAC 1.0 - OS Command Injection via Autovpn Key Parameter
CVSS 6.3
CVE-2024-6186 MEDIUM
Ruijie RG-UAC 1.0 - OS Command Injection via ad_log_name Parameter
CVSS 6.3
CVE-2024-6185 MEDIUM
Ruijie RG-UAC 1.0 - OS Command Injection via ethname Argument in dhcpConfig
CVSS 6.3
CVE-2024-6184 MEDIUM
Ruijie RG-UAC 1.0 - OS Command Injection via servicename Parameter
CVSS 6.3
CVE-2024-6048 CRITICAL
Openfind MailGates and MailAudit 5.0 < Patch 5.2.10.094 and 6.0 < Patch 6.1.7.037 - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2024-6047 CRITICAL KEV
GeoVision EOL Devices - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2024-31162 HIGH
ASUS Download Master < 3.1.0.113 - Unauthenticated OS Command Injection
CVSS 7.2
CVE-2024-27172 CRITICAL
Toshiba e-Studio MFP Remote Command - Remote Code Execution
CVSS 9.8
CVE-2024-4696 HIGH
Lenovo Service Bridge <5.0.2.17 - Privilege Escalation
CVSS 7.5
CVE-2024-36103 MEDIUM
WRC-X5400GS-B <1.0.10 - Command Injection
CVSS 6.8
CVE-2024-36360 CRITICAL
awkblog <= v0.0.1 - Unauthenticated OS Command Injection
CVSS 9.8
Details
Vulnerabilities 5,973
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits