CWE-77— Command Injection
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.— MITRE CWE catalog
3,886 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 59 of 78
- CVE-2025-44847MEDIUMCVSS 6.3EG 6.32025-05-01
TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted requ…
- CVE-2025-44848MEDIUMCVSS 6.5EG 6.52025-05-01
TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44854MEDIUMCVSS 6.3EG 6.32025-05-01
TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44860MEDIUMCVSS 6.5EG 6.52025-05-01
TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Port parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44861MEDIUMCVSS 6.3EG 6.32025-05-01
TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url parameter. This vulnerability allows attackers to execute arbitrary commands via a craft…
- CVE-2025-44862MEDIUMCVSS 6.3EG 6.32025-05-01
TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the recvUpgradeNewFw function via the fwUrl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44863MEDIUMCVSS 6.5EG 6.52025-05-01
TOTOLINK CA300-POE V6.2c.884_B20180522 was found to contain a command injection vulnerability in the msg_process function via the Url parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44864MEDIUMCVSS 6.3EG 6.32025-05-01
Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the module parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44865MEDIUMCVSS 6.3EG 6.32025-05-01
Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the enable parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44866MEDIUMCVSS 6.3EG 6.32025-05-01
Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetDebugCfg function via the level parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44867MEDIUMCVSS 6.3EG 6.32025-05-01
Tenda W20E V15.11.0.6 was found to contain a command injection vulnerability in the formSetNetCheckTools function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44868CRITICALCVSS 9.8EG 9.82025-05-02
Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44872CRITICALCVSS 9.8EG 9.82025-05-02
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via the deviceName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-44877CRITICALCVSS 9.8EG 9.82025-05-02
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2025-45009MEDIUMCVSS 5.3EG 5.32025-04-30
A HTML Injection vulnerability was discovered in the normal-search.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the searchdata parameter.
- CVE-2025-45010MEDIUMCVSS 5.3EG 5.32025-04-30
A HTML Injection vulnerability was discovered in the normal-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the fromdate and tod…
- CVE-2025-45011MEDIUMCVSS 5.3EG 5.32025-04-30
A HTML Injection vulnerability was discovered in the foreigner-search.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the searchdata POST request parame…
- CVE-2025-45042CRITICALCVSS 9.8EG 9.82025-05-05
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function.
- CVE-2025-45317MEDIUMCVSS 6.5EG 6.52025-08-13
A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive.
- CVE-2025-45326MEDIUMCVSS 6.5EG 6.52025-09-23
An issue in PocketVJ CP PocketVJ-CP-v3 pvj 3.9.1 allows remote attackers to execute arbitrary code via the submit_size.php component.
- CVE-2025-45487CRITICALCVSS 9.8EG 6.52025-05-06
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.InternetConnection function.
- CVE-2025-45488CRITICALCVSS 9.8EG 6.52025-05-06
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter.
- CVE-2025-45489CRITICALCVSS 9.8EG 6.52025-05-06
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the hostname parameter.
- CVE-2025-45490CRITICALCVSS 9.8EG 6.52025-05-06
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the password parameter.
- CVE-2025-45491CRITICALCVSS 9.8EG 9.82025-05-06
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.
- CVE-2025-45492CRITICALCVSS 9.8EG 6.52025-05-06
Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the Iface parameter in the action_wireless function.
- CVE-2025-45493MEDIUMCVSS 6.5EG 6.52025-12-23
Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the iface parameter in the action_bandwidth function.
- CVE-2025-45512MEDIUMCVSS 6.5EG 6.52025-08-05
A lack of signature verification in the bootloader of DENX Software Engineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install crafted firmware files, leading to arbitrary code execution.
- CVE-2025-45619MEDIUMCVSS 6.5EG 6.52025-07-30
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function
- CVE-2025-45798CRITICALCVSS 9.8EG 6.52025-05-08
A command execution vulnerability exists in the TOTOLINK A950RG V4.1.2cu.5204_B20210112. The vulnerability is located in the setNoticeCfg interface within the /lib/cste_modules/system.so library, specifically in the processing of the IpTo …
- CVE-2025-45800CRITICALCVSS 9.8EG 9.82025-05-02
TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter.
- CVE-2025-45931CRITICALCVSS 9.8EG 9.82025-06-30
An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file
- CVE-2025-45984CRITICALCVSS 9.8EG 9.82025-06-13
Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection v…
- CVE-2025-45985CRITICALCVSS 9.8EG 9.82025-06-13
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via…
- CVE-2025-45986CRITICALCVSS 9.8EG 9.82025-06-13
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 werediscovered to contain a command injection vulnerability via …
- CVE-2025-45987CRITICALCVSS 9.8EG 9.82025-06-13
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabil…
- CVE-2025-45988CRITICALCVSS 9.8EG 9.82025-06-13
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabil…
- CVE-2025-46122CRITICALCVSS 9.1EG 5.42025-07-21
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate valida…
- CVE-2025-46176MEDIUMCVSS 6.5EG 6.52025-05-23
Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01 allow attackers to remotely execute arbitrary commands via firmware analysis.
- CVE-2025-46365MEDIUMCVSS 5.3EG 5.32025-11-05
Dell CloudLink, versions prior 8.1.1, contain a Command Injection vulnerability which can be exploited by an Authenticated attacker to cause Command Injection on an affected Dell CloudLink.
- CVE-2025-46427HIGHCVSS 8.8EG 8.82025-11-12
Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially exploi…
- CVE-2025-46428HIGHCVSS 8.8EG 8.82025-11-12
Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with remote access could potentially explo…
- CVE-2025-4653HIGHCVSS 7.0EG 7.02025-06-10
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
- CVE-2025-46625HIGHCVSS 8.8EG 8.82025-05-01
Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a c…
- CVE-2025-46735LOWCVSS 1.1EG 1.12025-05-06
Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version `1.0.5`. The `windns_record` resource did not sanitize the i…
- CVE-2025-4678HIGHCVSS 7.0EG 7.02025-06-10
Improper Neutralization of Special Elements in the chromium_path variable may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
- CVE-2025-46816CRITICALCVSS 9.4EG 9.42025-05-06
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not check…
- CVE-2025-47176HIGHCVSS 7.8EG 7.82025-06-10
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
- CVE-2025-47188MEDIUMCVSS 6.5EG 6.52025-08-07
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to c…
- CVE-2025-4729MEDIUMCVSS 6.3EG 6.32025-05-16
A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formMapDelDevice of the component HTTP POST Req…
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →