CWE-77— Command Injection
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.— MITRE CWE catalog
3,885 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 37 of 78
- CVE-2023-36642MEDIUMCVSS 6.7EG 6.72023-09-13
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiTester 3.0.0 through 7.2.3 may allow an authenticated attacker to execute unauthorized commands via specifical…
- CVE-2023-36750CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36751CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36752CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36753CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36754CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36755CRITICALCVSS 9.1EG 9.12023-07-11
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM …
- CVE-2023-36805HIGHCVSS 7.0EG 7.02023-09-12
Windows MSHTML Platform Security Feature Bypass Vulnerability
- CVE-2023-36953CRITICALCVSS 9.8EG 9.82023-10-16
TOTOLINK CP300+ V5.2cu.7594_B20200910 and before is vulnerable to command injection.
- CVE-2023-36954CRITICALCVSS 9.8EG 9.82023-10-16
TOTOLINK CP300+ V5.2cu.7594_B20200910 and before is vulnerable to command injection.
- CVE-2023-3710CRITICALCVSS 9.9EG 9.92023-09-12
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the r…
- CVE-2023-37144CRITICALCVSS 9.8EG 9.82023-07-07
Tenda AC10 v15.03.06.26 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.
- CVE-2023-37145CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function.
- CVE-2023-37146CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.
- CVE-2023-37148CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the ussd parameter in the setUssd function.
- CVE-2023-37149CRITICALCVSS 9.8EG 9.82023-07-07
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function.
- CVE-2023-37154HIGHCVSS 8.4EG 8.42024-10-09
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior.
- CVE-2023-3718HIGHCVSS 8.8EG 8.82023-08-01
An authenticated command injection vulnerability exists in the AOS-CX command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands on the underlying operating system as a privi…
- CVE-2023-37214CRITICALCVSS 9.8EG 9.82023-07-30
Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025.
- CVE-2023-3739MEDIUMCVSS 6.3EG 6.32023-08-01
Insufficient validation of untrusted input in Chromad in Google Chrome on ChromeOS prior to 115.0.5790.131 allowed a remote attacker to execute arbitrary code via a crafted shell script. (Chromium security severity: Low)
- CVE-2023-37469HIGHCVSS 8.8EG 8.82023-08-24
CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a…
- CVE-2023-37566HIGHCVSS 8.0EG 8.02023-07-13
Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. Affected product…
- CVE-2023-37567CRITICALCVSS 9.8EG 9.82023-07-13
Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affect…
- CVE-2023-37568HIGHCVSS 8.0EG 8.02023-07-13
ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC-1167GEBK-S v1.03 and earlier allow a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management…
- CVE-2023-37679CRITICALCVSS 9.8EG 9.82023-08-03
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
- CVE-2023-37794CRITICALCVSS 9.8EG 9.82023-07-14
WAYOS FBM-291W 19.09.11V was discovered to contain a command injection vulnerability via the component /upgrade_filter.asp.
- CVE-2023-38027CRITICALCVSS 9.8EG 9.82023-08-28
SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system comma…
- CVE-2023-38034CRITICALCVSS 9.8EG 8.32023-08-10
A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53…
- CVE-2023-38120HIGHCVSS 8.8EG 8.82024-05-03
Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exp…
- CVE-2023-38193HIGHCVSS 8.8EG 8.82023-10-21
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.
- CVE-2023-38286HIGHCVSS 7.5EG 7.52023-07-14
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code executi…
- CVE-2023-38336CRITICALCVSS 9.8EG 9.82023-07-14
netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778.
- CVE-2023-38690MEDIUMCVSS 5.8EG 5.82023-08-04
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, wh…
- CVE-2023-38829HIGHCVSS 8.8EG 8.82023-09-11
An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface.
- CVE-2023-38861CRITICALCVSS 9.8EG 9.82023-08-15
An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote attacker to execute arbitrary code via username parameter of the set_sys_adm function in adm.cgi.
- CVE-2023-38862CRITICALCVSS 9.8EG 9.82023-08-15
An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the destination parameter of sub_431F64 function in bin/webmgnt.
- CVE-2023-38863CRITICALCVSS 9.8EG 9.82023-08-15
An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the ifname and mac parameters in the sub_410074 function at bin/webmgnt.
- CVE-2023-38864CRITICALCVSS 9.8EG 9.82023-08-15
An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt.
- CVE-2023-38865CRITICALCVSS 9.8EG 9.82023-08-15
COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_4143F0. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter timestr.
- CVE-2023-38866CRITICALCVSS 9.8EG 9.82023-08-15
COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_415588. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter interface and display_name.
- CVE-2023-38902HIGHCVSS 8.8EG 8.82023-08-17
A command injection vulnerability in RG-EW series home routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, EAP and RAP series wireless …
- CVE-2023-38921HIGHCVSS 8.8EG 8.82023-08-07
Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters.
- CVE-2023-38928CRITICALCVSS 9.8EG 9.82023-08-07
Netgear R7100LG 1.0.0.78 was discovered to contain a command injection vulnerability via the password parameter at usb_remote_invite.cgi.
- CVE-2023-38941CRITICALCVSS 9.8EG 9.82023-08-04
django-sspanel v2022.2.2 was discovered to contain a remote command execution (RCE) vulnerability via the component sspanel/admin_view.py -> GoodsCreateView._post.
- CVE-2023-38942CRITICALCVSS 9.8EG 9.82023-08-03
Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json.
- CVE-2023-39001CRITICALCVSS 9.8EG 9.82023-08-09
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
- CVE-2023-39008CRITICALCVSS 9.8EG 9.82023-08-09
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.
- CVE-2023-39293CRITICALCVSS 9.8EG 9.82023-08-14
A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.
- CVE-2023-39362HIGHCVSS 7.2EG 9.02023-09-05
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command inje…
- CVE-2023-39471HIGHCVSS 8.8EG 7.52024-05-03
TP-Link TL-WR841N ated_tp Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N routers. Authentication is not r…
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →