CWE-78— OS Command Injection
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.— MITRE CWE catalog
5,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 105 of 118
- CVE-2026-25109HIGHCVSS 8.8EG 8.02026-02-27
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing th…
- CVE-2026-25130CRITICALCVSS 9.6EG 9.62026-01-30
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed…
- CVE-2026-25143HIGHCVSS 7.8EG 7.82026-02-04
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pi…
- CVE-2026-25157HIGHCVSS 7.7EG 7.72026-02-04
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping t…
- CVE-2026-25244CRITICALCVSS 9.8EG 9.82026-05-18
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orche…
- CVE-2026-2544HIGHCVSS 7.3EG 7.32026-02-16
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor wa…
- CVE-2026-25512HIGHCVSS 8.8EG 8.82026-02-04
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachm…
- CVE-2026-25546HIGHCVSS 7.8EG 7.82026-02-04
Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-c…
- CVE-2026-25593HIGHCVSS 8.4EG 8.42026-02-06
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enablin…
- CVE-2026-2560MEDIUMCVSS 6.3EG 6.32026-02-16
A vulnerability has been found in kalcaddle kodbox up to 1.64.05. The impacted element is the function run of the file plugins/fileThumb/lib/VideoResize.class.php of the component Media File Preview Plugin. Such manipulation of the argumen…
- CVE-2026-25620MEDIUMCVSS 6.0EG 6.02026-06-05
An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier softwar…
- CVE-2026-25621MEDIUMCVSS 6.0EG 6.02026-06-05
A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are…
- CVE-2026-25622MEDIUMCVSS 6.0EG 6.02026-06-05
A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit t…
- CVE-2026-25623MEDIUMCVSS 6.0EG 6.02026-06-05
An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain unde…
- CVE-2026-25643CRITICALCVSS 9.1EG 9.12026-02-06
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The applica…
- CVE-2026-25722CRITICALCVSS 9.1EG 9.12026-02-06
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive director…
- CVE-2026-25723MEDIUMCVSS 6.5EG 6.52026-02-06
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability ena…
- CVE-2026-25763CRITICALCVSS 9.9EG 9.92026-02-06
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/change…
- CVE-2026-25828MEDIUMCVSS 5.4EG 5.42026-02-12
grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device(). NOTE: a third party reports "exploitation may not be fea…
- CVE-2026-25836HIGHCVSS 7.2EG 7.22026-03-10
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI acc…
- CVE-2026-25855HIGHCVSS 8.8EG 8.82026-06-08
OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attac…
- CVE-2026-25857HIGHCVSS 8.8EG 8.82026-02-07
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates …
- CVE-2026-25933MEDIUMCVSS 6.8EG 6.82026-02-12
Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation…
- CVE-2026-26009CRITICALCVSS 9.9EG 9.92026-02-10
Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandbox…
- CVE-2026-26029HIGHCVSS 7.5EG 7.52026-02-11
sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of child_process.exec when constructing Salesforce CLI commands with user-contr…
- CVE-2026-26068CRITICALCVSS 9.9EG 9.92026-02-12
emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via…
- CVE-2026-26191CRITICALCVSS 9.8EG 9.82026-05-14
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows)…
- CVE-2026-26213CRITICALCVSS 9.8EG 9.82026-03-26
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by inj…
- CVE-2026-26280HIGHCVSS 7.8EG 7.82026-02-19
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized ne…
- CVE-2026-2630HIGHCVSS 8.8EG 8.82026-02-17
A Command Injection vulnerability exists where an authenticated, remote attacker could execute arbitrary code on the underlying server where Tenable Security Center is hosted.
- CVE-2026-26318HIGHCVSS 8.8EG 8.82026-02-19
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
- CVE-2026-26355MEDIUMCVSS 6.5EG 6.52026-07-03
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutra…
- CVE-2026-26830CRITICALCVSS 9.8EG 9.82026-03-25
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths i…
- CVE-2026-26832CRITICALCVSS 9.8EG 9.82026-03-25
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated …
- CVE-2026-26942MEDIUMCVSS 6.7EG 6.72026-04-20
Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS command injection vulnerability. A high privileged attacker with remote access could potentially e…
- CVE-2026-26943HIGHCVSS 7.2EG 7.22026-04-20
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker wi…
- CVE-2026-2701CRITICALCVSS 9.1EG 9.12026-04-02
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
- CVE-2026-27130CRITICALCVSS 9.9EG 9.92026-05-18
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation…
- CVE-2026-27175CRITICALCVSS 9.8EG 9.82026-02-18
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshe…
- CVE-2026-27476CRITICALCVSS 9.8EG 9.82026-02-19
RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing sy…
- CVE-2026-27566HIGHCVSS 7.1EG 7.12026-03-19
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to …
- CVE-2026-27806HIGHCVSS 7.8EG 7.82026-04-08
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script exec…
- CVE-2026-27848CRITICALCVSS 9.8EG 9.82026-02-25
Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
- CVE-2026-27849CRITICALCVSS 9.8EG 9.82026-02-25
Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.2…
- CVE-2026-27955MEDIUMCVSS 6.6EG 6.62026-06-30
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlle…
- CVE-2026-27957HIGHCVSS 8.8EG 8.82026-06-30
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated…
- CVE-2026-28291HIGHCVSS 8.1EG 8.12026-04-13
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and…
- CVE-2026-28292CRITICALCVSS 9.8EG 9.82026-03-10
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remot…
- CVE-2026-28460HIGHCVSS 7.1EG 7.12026-03-19
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers ca…
- CVE-2026-28517CRITICALCVSS 9.8EG 9.82026-02-27
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() witho…
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →