CWE-77— Command Injection
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.— MITRE CWE catalog
3,886 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 57 of 78
- CVE-2025-29226MEDIUMCVSS 6.3EG 8.32025-03-21
In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtime.pingTest function via the pt["count"] parameter.
- CVE-2025-29227MEDIUMCVSS 6.3EG 8.82025-03-21
In Linksys E5600 V1.1.0.26, the \usr\share\lua\runtime.lua file contains a command injection vulnerability in the runtime.pingTest function via the pt["pkgsize"] parameter.
- CVE-2025-29228CRITICALCVSS 9.8EG 9.82025-12-23
Linksys E5600 V1.1.0.26 is vulnerable to command injection in the runtime.macClone function via the mc.ip parameter.
- CVE-2025-29229CRITICALCVSS 9.8EG 9.82025-12-23
linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus.
- CVE-2025-29230HIGHCVSS 8.6EG 8.62025-03-21
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.emailReg function. The vulnerability can be triggered via the `pt["email"]` parameter.
- CVE-2025-29509HIGHCVSS 8.8EG 9.82025-05-09
Jan v0.5.14 and before is vulnerable to remote code execution (RCE) when the user clicks on a rendered link in the conversation, due to opening external website in the app and the exposure of electronAPI, with a lack of filtering of URL wh…
- CVE-2025-29516HIGHCVSS 7.2EG 7.22025-08-25
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the backup function.
- CVE-2025-29517MEDIUMCVSS 6.8EG 6.82025-08-25
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the traceroute6 function.
- CVE-2025-29519MEDIUMCVSS 5.3EG 5.32025-08-25
A command injection vulnerability in the EXE parameter of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to execute arbitrary commands via supplying a crafted GET request.
- CVE-2025-29522MEDIUMCVSS 6.5EG 6.52025-08-25
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping function.
- CVE-2025-29523HIGHCVSS 7.2EG 7.22025-08-25
D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping6 function.
- CVE-2025-29628CRITICALCVSS 9.4EG 8.12025-07-25
A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vu…
- CVE-2025-29635HIGHCVSS 7.2EG 9.0⚠ KEV2025-03-25
A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, trigg…
- CVE-2025-29743MEDIUMCVSS 6.5EG 6.52025-04-22
D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in /goform/delRouting.
- CVE-2025-2983MEDIUMCVSS 5.5EG 5.52025-03-31
A vulnerability has been found in Legrand SMS PowerView 1.x and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument redirect leads to os command injection. The exploit has be…
- CVE-2025-29887HIGHCVSS 7.2EG 7.22025-08-29
A command injection vulnerability has been reported to affect QuRouter 2.5.1. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerabil…
- CVE-2025-3002HIGHCVSS 7.3EG 7.32025-03-31
A vulnerability, which was classified as critical, has been found in Digital China DCME-520 up to 20250320. This issue affects some unknown processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. The man…
- CVE-2025-3008MEDIUMCVSS 5.5EG 5.52025-03-31
A vulnerability classified as critical has been found in Novastar CX40 up to 2.44.0. Affected is the function system/popen of the file /usr/nova/bin/netconfig of the component NetFilter Utility. The manipulation leads to command injection.…
- CVE-2025-30264HIGHCVSS 8.8EG 8.82025-08-29
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed …
- CVE-2025-31644HIGHCVSS 8.7EG 8.72025-05-07
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary…
- CVE-2025-31710MEDIUMCVSS 5.9EG 5.92025-06-03
In engineermode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.
- CVE-2025-31951HIGHCVSS 8.8EG 8.82026-05-06
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
- CVE-2025-3249MEDIUMCVSS 6.3EG 6.32025-04-04
A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected by this vulnerability is the function apcli_cancel_wps of the file /usr/lib/lua/luci/controller/mtkwifi.lua. The manipulation leads to comma…
- CVE-2025-32702HIGHCVSS 7.8EG 7.82025-05-13
Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally.
- CVE-2025-32711CRITICALCVSS 9.3EG 9.32025-06-11
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- CVE-2025-32813HIGHCVSS 7.2EG 7.22025-05-22
An issue was discovered in Infoblox NETMRI before 7.6.1. Remote Unauthenticated Command Injection can occur.
- CVE-2025-34267HIGHCVSS 8.4EG 9.92025-10-14
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) wit…
- CVE-2025-3539HIGHCVSS 8.0EG 8.02025-04-13
A vulnerability classified as critical has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getBas…
- CVE-2025-3540HIGHCVSS 8.0EG 8.02025-04-13
A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this vulnerability is the function FCGI_WizardProtoProcess of the file /api/wizard/getCapability of…
- CVE-2025-3541HIGHCVSS 8.0EG 8.02025-04-13
A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this issue is the function FCGI_WizardProtoProcess of the file /api/wizard/getSpec…
- CVE-2025-3542HIGHCVSS 8.0EG 8.02025-04-14
A vulnerability, which was classified as critical, was found in H3C Magic NX15, Magic NX400 and Magic R3010 up to V100R014. This affects the function FCGI_WizardProtoProcess of the file /api/wizard/getsyncpppoecfg of the component HTTP POS…
- CVE-2025-3543HIGHCVSS 8.0EG 8.02025-04-14
A vulnerability has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014 and classified as critical. This vulnerability affects the function FCGI_WizardProtoProcess of the file /api/wizard/setsyncpppoecf…
- CVE-2025-3544HIGHCVSS 8.0EG 8.02025-04-14
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/…
- CVE-2025-3545HIGHCVSS 8.0EG 8.02025-04-14
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizar…
- CVE-2025-3546HIGHCVSS 8.0EG 8.02025-04-14
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is the function FCGI_CheckStringIfContainsSemicolon of…
- CVE-2025-3621CRITICALCVSS 9.6EG 9.62025-07-15
Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injec…
- CVE-2025-37089CRITICALCVSS 9.8EG 9.82025-06-02
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
- CVE-2025-37091HIGHCVSS 7.2EG 7.22025-06-02
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
- CVE-2025-37092CRITICALCVSS 9.8EG 9.82025-06-02
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
- CVE-2025-37096CRITICALCVSS 9.8EG 9.82025-06-02
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
- CVE-2025-37102HIGHCVSS 7.2EG 7.22025-07-08
An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. A successful exploitation could allow a remote attacker with elevated privileges to execute arbitrary com…
- CVE-2025-37133HIGHCVSS 7.2EG 7.22025-10-14
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a p…
- CVE-2025-37134HIGHCVSS 7.2EG 7.22025-10-14
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a p…
- CVE-2025-37138MEDIUMCVSS 6.2EG 6.22025-10-14
An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardwar…
- CVE-2025-37146HIGHCVSS 7.2EG 7.22025-10-14
A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execu…
- CVE-2025-37162MEDIUMCVSS 6.5EG 6.52025-11-18
A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the unde…
- CVE-2025-37163HIGHCVSS 7.2EG 7.22025-11-18
A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands wit…
- CVE-2025-37176MEDIUMCVSS 6.5EG 6.52026-01-13
A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authentica…
- CVE-2025-3729HIGHCVSS 7.3EG 7.32025-04-16
A vulnerability, which was classified as critical, has been found in SourceCodester Web-based Pharmacy Product Management System 1.0. This issue affects some unknown processing of the file backup.php of the component Database Backup Handle…
- CVE-2025-3816MEDIUMCVSS 4.7EG 4.72025-04-19
A vulnerability classified as critical was found in westboy CicadasCMS 2.0. This vulnerability affects unknown code of the file /system/schedule/save of the component Scheduled Task Handler. The manipulation leads to os command injection. …
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →