CWE-77— Command Injection
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.— MITRE CWE catalog
3,879 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 23 of 78
- CVE-2022-25084CRITICALCVSS 9.8EG 9.82022-02-24
TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CVE-2022-25130CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a cr…
- CVE-2022-25131CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary comman…
- CVE-2022-25132CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25133CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25134CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25135CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CVE-2022-25136CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a c…
- CVE-2022-25137CRITICALCVSS 9.8EG 9.82022-02-19
A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via …
- CVE-2022-25350HIGHCVSS 7.4EG 7.82023-01-26
All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.
- CVE-2022-25427CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function.
- CVE-2022-25428CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the deviceId parameter in the saveparentcontrolinfo function.
- CVE-2022-25429CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a buffer overflow via the time parameter in the saveparentcontrolinfo function.
- CVE-2022-25431CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain multiple stack overflows via the NPTR, V12, V10 and V11 parameter in the Formsetqosband function.
- CVE-2022-25433CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the urls parameter in the saveparentcontrolinfo function.
- CVE-2022-25434CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the firewallen parameter in the SetFirewallCfg function.
- CVE-2022-25435CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetStaticRoutecfg function.
- CVE-2022-25437CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetVirtualServerCfg function.
- CVE-2022-25438CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the SetIPTVCfg function.
- CVE-2022-25439CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetIpMacBind function.
- CVE-2022-25440CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the ntpserver parameter in the SetSysTimeCfg function.
- CVE-2022-25441CRITICALCVSS 9.8EG 9.82022-03-18
Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the vlanid parameter in the SetIPTVCfg function.
- CVE-2022-25619LOWCVSS 3.8EG 6.72022-03-30
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consu…
- CVE-2022-25809CRITICALCVSS 9.8EG 9.82022-02-24
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetoo…
- CVE-2022-25834HIGHCVSS 7.8EG 7.82023-06-07
In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands.
- CVE-2022-25853HIGHCVSS 7.4EG 7.82023-02-06
All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.
- CVE-2022-25855HIGHCVSS 7.4EG 7.82023-02-06
All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
- CVE-2022-25890HIGHCVSS 7.4EG 9.82023-01-09
All versions of the package wifey are vulnerable to Command Injection via the connect() function due to improper input sanitization.
- CVE-2022-25900HIGHCVSS 8.1EG 8.12022-07-01
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.
- CVE-2022-25908HIGHCVSS 7.4EG 9.82023-01-26
All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
- CVE-2022-25916HIGHCVSS 7.4EG 7.42023-02-01
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
- CVE-2022-25923HIGHCVSS 7.4EG 7.42023-01-06
Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.
- CVE-2022-25962HIGHCVSS 7.4EG 9.82023-01-26
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
- CVE-2022-26007HIGHCVSS 7.2EG 7.22022-05-12
An OS command injection vulnerability exists in the console factory functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to command execution. An attacker can send a sequence of requests to trig…
- CVE-2022-26042HIGHCVSS 8.8EG 8.82022-05-12
An OS command injection vulnerability exists in the daretools binary functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of reque…
- CVE-2022-26085HIGHCVSS 8.8EG 8.82022-05-12
An OS command injection vulnerability exists in the httpd wlscan_ASP functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP …
- CVE-2022-26111HIGHCVSS 8.8EG 8.82022-04-25
The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding Bea…
- CVE-2022-26151HIGHCVSS 7.2EG 7.22022-04-13
Citrix XenMobile Server 10.12 through RP11, 10.13 through RP7, and 10.14 through RP4 allows Command Injection.
- CVE-2022-26186CRITICALCVSS 9.8EG 9.82022-03-22
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
- CVE-2022-26187CRITICALCVSS 9.8EG 9.82022-03-22
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the pingCheck function.
- CVE-2022-26188CRITICALCVSS 9.8EG 9.82022-03-22
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost.
- CVE-2022-26189CRITICALCVSS 9.8EG 9.82022-03-22
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.
- CVE-2022-26206CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26207CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26208CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26209CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26210CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26211CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26212CRITICALCVSS 9.8EG 9.82022-03-15
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command inject…
- CVE-2022-26213CRITICALCVSS 9.8EG 9.82022-03-15
Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted r…
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →