CWE-77— Command Injection
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.— MITRE CWE catalog
3,881 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 28 of 78
- CVE-2022-37130CRITICALCVSS 9.8EG 9.82022-08-31
In D-Link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulti…
- CVE-2022-37149CRITICALCVSS 9.8EG 9.82022-08-30
WAVLINK WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability when operating the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.
- CVE-2022-37425CRITICALCVSS 9.9EG 9.82022-10-28
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in OpenNebula OpenNebula core on Linux allows Remote Code Inclusion.
- CVE-2022-37704MEDIUMCVSS 6.7EG 7.82023-04-16
Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of p…
- CVE-2022-37718HIGHCVSS 8.8EG 8.82023-01-23
The management portal component of JetNexus/EdgeNexus ADC 4.2.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands through a specially crafted payloa…
- CVE-2022-37810CRITICALCVSS 9.8EG 9.82022-08-25
Tenda AC1206 V15.03.06.23 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.
- CVE-2022-37843CRITICALCVSS 9.8EG 9.82022-09-06
In TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi, the acquired parameters are directly put into the system for execution without filtering, resulting in a command injection vulnerability.
- CVE-2022-37860CRITICALCVSS 9.8EG 9.82022-09-12
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.
- CVE-2022-37878HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37879HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37881HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37883HIGHCVSS 7.2EG 7.22022-09-20
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as…
- CVE-2022-37893HIGHCVSS 7.8EG 7.82022-10-07
An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user o…
- CVE-2022-37897CRITICALCVSS 9.8EG 9.82022-12-12
There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation …
- CVE-2022-37898HIGHCVSS 7.2EG 8.82022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37899HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37900HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37901HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37902HIGHCVSS 7.2EG 7.22022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-37912HIGHCVSS 7.2EG 8.82022-12-12
Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying opera…
- CVE-2022-38156HIGHCVSS 7.2EG 7.22023-06-12
A remote command injection issues exists in the web server of the Kratos SpectralNet device with SpectralNet Narrowband (NB) before 1.7.5. As an admin user, an attacker can send a crafted password in order to execute Linux commands as the …
- CVE-2022-38308CRITICALCVSS 9.8EG 9.82022-09-14
TOTOLink A700RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the lang parameter in the function cstesystem. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
- CVE-2022-38511HIGHCVSS 7.8EG 7.82022-08-29
TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.
- CVE-2022-38531HIGHCVSS 8.8EG 8.82022-09-08
FPT G-97RG6M R4.2.98.035 and G-97RG3 R4.2.43.078 are vulnerable to Remote Command Execution in the ping function.
- CVE-2022-38534HIGHCVSS 7.2EG 7.22022-09-15
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.
- CVE-2022-38535HIGHCVSS 7.2EG 7.22022-09-15
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.
- CVE-2022-38826CRITICALCVSS 9.8EG 9.82022-09-16
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.
- CVE-2022-38828CRITICALCVSS 9.8EG 9.82022-09-16
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi
- CVE-2022-39057HIGHCVSS 7.2EG 7.22022-10-18
RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt …
- CVE-2022-39073CRITICALCVSS 9.8EG 9.82023-01-06
There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands.
- CVE-2022-39081MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39082MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39083MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39084MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39085MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39086MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39087MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39088MEDIUMCVSS 6.7EG 6.72023-01-04
In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.
- CVE-2022-39243HIGHCVSS 8.4EG 8.42022-09-26
NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in th…
- CVE-2022-39265HIGHCVSS 7.2EG 7.22022-10-06
MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access t…
- CVE-2022-39986CRITICALCVSS 9.8EG 9.82023-08-01
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
- CVE-2022-39987HIGHCVSS 8.8EG 8.82023-08-01
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
- CVE-2022-4002HIGHCVSS 7.2EG 7.22024-07-31
A command injection vulnerability could allow an authenticated user to execute operating system commands as root via a specially crafted API request.
- CVE-2022-40021CRITICALCVSS 9.8EG 9.82023-02-17
QVidium Technologies Amino A140 (prior to firmware version 1.0.0-283) was discovered to contain a command injection vulnerability.
- CVE-2022-40022CRITICALCVSS 9.8EG 9.82023-02-13
Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability.
- CVE-2022-4009HIGHCVSS 8.8EG 8.82023-03-16
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
- CVE-2022-40100CRITICALCVSS 9.8EG 9.82022-09-23
Tenda i9 v1.0.0.8(3828) was discovered to contain a command injection vulnerability via the FormexeCommand function.
- CVE-2022-40282HIGHCVSS 8.8EG 8.82022-11-25
The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function …
- CVE-2022-40469HIGHCVSS 8.8EG 8.82022-10-12
iKuai OS v3.6.7 was discovered to contain an authenticated remote code execution (RCE) vulnerability.
- CVE-2022-40475CRITICALCVSS 9.8EG 9.82022-09-29
TOTOLINK A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection via the component /cgi-bin/downloadFile.cgi.
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →