CWE-78— OS Command Injection
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.— MITRE CWE catalog
5,841 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 45 of 117
- CVE-2022-20718MEDIUMCVSS 5.5EG 7.22022-04-15
Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying …
- CVE-2022-20797MEDIUMCVSS 5.5EG 9.12022-05-27
A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administrator on the underly…
- CVE-2022-20799MEDIUMCVSS 4.7EG 7.22022-05-04
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an …
- CVE-2022-20801MEDIUMCVSS 4.7EG 7.22022-05-04
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an …
- CVE-2022-20827CRITICALCVSS 9.0EG 10.02022-08-10
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. Fo…
- CVE-2022-20851MEDIUMCVSS 5.5EG 7.22022-09-30
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker…
- CVE-2022-20855HIGHCVSS 7.9EG 6.72022-09-30
A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restricted controller shell and execute arbit…
- CVE-2022-20857CRITICALCVSS 9.8EG 9.82022-07-21
Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information abo…
- CVE-2022-20865MEDIUMCVSS 6.7EG 6.72022-08-25
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The attacker would need to have Administrator privileges on the device. Thi…
- CVE-2022-20871MEDIUMCVSS 6.3EG 6.32024-11-15
A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection …
- CVE-2022-20873MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20874MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20875MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20876MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20877MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20878MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20879MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20880MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20881MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20882MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20883MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20884MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20885MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20886MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20887MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20888MEDIUMCVSS 4.7EG 7.22022-07-21
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20910MEDIUMCVSS 4.7EG 7.22022-07-22
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the dev…
- CVE-2022-20925MEDIUMCVSS 6.3EG 7.22022-11-15
A vulnerability in the web management interface of the Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is…
- CVE-2022-20926MEDIUMCVSS 6.3EG 8.82022-11-15
A vulnerability in the web management interface of the Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is…
- CVE-2022-20930MEDIUMCVSS 6.7EG 6.72022-09-30
A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to overwrite and possibly corrupt files on an affected system. This vulnerability is due to insufficient input validation. An attacker could e…
- CVE-2022-20934MEDIUMCVSS 6.0EG 6.72022-11-15
A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software and Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. This vulnerabilit…
- CVE-2022-20964MEDIUMCVSS 6.3EG 8.82023-01-20
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper…
- CVE-2022-21129HIGHCVSS 7.4EG 7.42023-01-31
Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to…
- CVE-2022-21143HIGHCVSS 7.5EG 7.52022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not properly sanitize user input on several locations, which may allow an attacker to inj…
- CVE-2022-21173HIGHCVSS 8.8EG 8.82022-02-08
Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware…
- CVE-2022-21178CRITICALCVSS 9.8EG 9.82022-08-05
An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a mal…
- CVE-2022-21191HIGHCVSS 7.4EG 7.42023-01-13
Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.
- CVE-2022-21668HIGHCVSS 8.0EG 8.02022-01-10
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere…
- CVE-2022-21810HIGHCVSS 7.4EG 7.82023-01-26
All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.
- CVE-2022-2185CRITICALCVSS 9.9EG 9.82022-07-01
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously …
- CVE-2022-22140CRITICALCVSS 9.8EG 9.82022-08-05
An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malici…
- CVE-2022-22273CRITICALCVSS 9.8EG 9.82022-03-17
Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically…
- CVE-2022-22298MEDIUMCVSS 6.7EG 6.72023-10-10
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiIsolator version 1.0.0, FortiIsolator version 1.1.0, FortiIsolator version 1.2.0 through 1.2.2, FortiIsolator version 2.0.0 throu…
- CVE-2022-22301HIGHCVSS 7.8EG 7.82022-03-02
An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiAP-C console 5.4.0 through 5.4.3, 5.2.0 through 5.2.1 may allow an authenticated attacker to execute unauthorized commands by running CLI c…
- CVE-2022-2234CRITICALCVSS 9.9EG 8.82022-08-24
An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the operating system.
- CVE-2022-22454HIGHCVSS 7.8EG 7.82022-05-10
IBM InfoSphere Information Server 11.7 could allow a locally authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
- CVE-2022-2251MEDIUMCVSS 4.8EG 8.02023-01-17
Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger…
- CVE-2022-2253CRITICALCVSS 9.1EG 9.12022-07-01
A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server.
- CVE-2022-22555MEDIUMCVSS 6.0EG 6.72022-07-21
Dell EMC PowerStore, contains an OS command injection Vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the…
- CVE-2022-22684HIGHCVSS 7.2EG 8.82022-07-28
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arb…
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →