CWE-78— OS Command Injection
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.— MITRE CWE catalog
5,850 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 74 of 117
- CVE-2024-26260CRITICALCVSS 9.8EG 9.82024-02-15
The functionality for synchronization in HGiga OAKlouds' certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters. This enables the execution of arbi…
- CVE-2024-2659HIGHCVSS 7.2EG 7.22024-04-15
A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function.
- CVE-2024-2662HIGHCVSS 7.2EG 7.22024-05-14
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to command injection in all versions up to, and including, 1.5.102. This is due to insufficient filtering of template attributes duri…
- CVE-2024-2707MEDIUMCVSS 6.3EG 6.32024-03-20
A vulnerability has been found in Tenda AC10U 15.03.06.49 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injecti…
- CVE-2024-27124HIGHCVSS 7.5EG 7.52024-04-26
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the …
- CVE-2024-27172CRITICALCVSS 9.8EG 9.82024-06-14
Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL.
- CVE-2024-2742MEDIUMCVSS 6.4EG 6.42024-04-11
Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality.
- CVE-2024-27516CRITICALCVSS 9.8EG 9.82024-02-29
Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34v, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.
- CVE-2024-27521HIGHCVSS 8.0EG 8.02024-03-26
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take comple…
- CVE-2024-27772HIGHCVSS 8.8EG 8.82024-03-18
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-78: 'OS Command Injection' may allow RCE
- CVE-2024-27778HIGHCVSS 8.8EG 8.82025-01-14
An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 al…
- CVE-2024-27920HIGHCVSS 7.4EG 7.42024-03-15
projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. Th…
- CVE-2024-28015CRITICALCVSS 9.8EG 9.82024-03-28
Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W30…
- CVE-2024-28025HIGHCVSS 7.2EG 7.22024-11-21
Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an…
- CVE-2024-28026HIGHCVSS 7.2EG 7.22024-11-21
Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an…
- CVE-2024-28027HIGHCVSS 7.2EG 7.22024-11-21
Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an…
- CVE-2024-28033HIGHCVSS 7.3EG 7.32024-03-26
OS command injection vulnerability exists in WebProxy 1.7.8 and 1.7.9, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachab…
- CVE-2024-28048CRITICALCVSS 9.8EG 9.82024-03-26
OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, there…
- CVE-2024-2812MEDIUMCVSS 6.3EG 6.32024-03-22
A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command inj…
- CVE-2024-28125CRITICALCVSS 9.8EG 9.82024-03-18
FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further inv…
- CVE-2024-28138HIGHCVSS 7.3EG 7.32024-12-10
An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.
- CVE-2024-28187HIGHCVSS 7.2EG 7.22024-03-11
SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accesse…
- CVE-2024-28254HIGHCVSS 8.8EG 8.82024-03-15
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `AlertUtil::validateExpression` method evaluates an SpEL ex…
- CVE-2024-2851MEDIUMCVSS 6.3EG 6.32024-03-24
A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os comman…
- CVE-2024-2853MEDIUMCVSS 6.3EG 6.32024-03-24
A vulnerability was found in Tenda AC10U 15.03.06.48/15.03.06.49. It has been rated as critical. This issue affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command…
- CVE-2024-2854MEDIUMCVSS 6.3EG 6.32024-03-24
A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. It is possi…
- CVE-2024-28748HIGHCVSS 7.2EG 7.22024-07-09
A remote attacker with high privileges may use a reading file function to inject OS commands.
- CVE-2024-28749HIGHCVSS 7.2EG 7.22024-07-09
A remote attacker with high privileges may use a writing file function to inject OS commands.
- CVE-2024-28750HIGHCVSS 7.2EG 7.22024-07-09
A remote attacker with high privileges may use a deleting file function to inject OS commands.
- CVE-2024-28767MEDIUMCVSS 6.8EG 6.82024-12-20
IBM Security Directory Integrator 7.2.0 through 7.2.0.13 and 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
- CVE-2024-28892CRITICALCVSS 9.8EG 9.82024-11-21
An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerabilit…
- CVE-2024-2897MEDIUMCVSS 6.3EG 6.32024-03-26
A vulnerability classified as critical has been found in Tenda AC7 15.03.06.44. Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to…
- CVE-2024-2909HIGHCVSS 8.8EG 8.82024-03-26
A vulnerability classified as critical was found in Ruijie RG-EG350 up to 20240318. Affected by this vulnerability is the function setAction of the file /itbox_pi/networksafe.php?a=set of the component HTTP POST Request Handler. The manipu…
- CVE-2024-2910MEDIUMCVSS 6.3EG 6.32024-03-26
A vulnerability, which was classified as critical, has been found in Ruijie RG-EG350 up to 20240318. Affected by this issue is the function vpnAction of the file /itbox_pi/vpn_quickset_service.php?a=set_vpn of the component HTTP POST Reque…
- CVE-2024-29167HIGHCVSS 7.2EG 7.22024-04-04
SVR-116 firmware version 1.6.0.30028871 allows a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.
- CVE-2024-29185CRITICALCVSS 9.0EG 9.02024-03-22
FreeScout is a self-hosted help desk and shared mailbox. Versions prior to 1.8.128 are vulnerable to OS Command Injection in the /public/tools.php source file. The value of the php_path parameter is being executed as an OS command by the s…
- CVE-2024-29189HIGHCVSS 7.4EG 7.42024-03-26
PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit …
- CVE-2024-29224CRITICALCVSS 9.8EG 9.82024-11-21
An OS command injection vulnerability exists in the NAT parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
- CVE-2024-29640CRITICALCVSS 9.8EG 9.82024-03-29
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
- CVE-2024-29972CRITICALCVSS 9.8EG 9.82024-06-04
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauth…
- CVE-2024-29973CRITICALCVSS 9.8EG 9.82024-06-04
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthentic…
- CVE-2024-30220HIGHCVSS 8.8EG 8.82024-04-15
Command injection vulnerability in PLANEX COMMUNICATIONS wireless LAN routers allows a network-adjacent unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port. Note that MZK-MF300N…
- CVE-2024-30247CRITICALCVSS 10.0EG 10.02024-03-29
NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a…
- CVE-2024-30314HIGHCVSS 7.8EG 9.32024-05-16
Dreamweaver Desktop versions 21.3 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitat…
- CVE-2024-30368HIGHCVSS 8.8EG 7.22024-06-06
A10 Thunder ADC CsrRequestView Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A10 Thunder ADC. Authentication is required to exploit …
- CVE-2024-30414HIGHCVSS 7.5EG 7.52024-04-07
Command injection vulnerability in the AccountManager module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2024-30645HIGHCVSS 8.0EG 8.02024-03-29
Tenda AC15V1.0 V15.03.20_multi has a command injection vulnerability via the deviceName parameter.
- CVE-2024-3104CRITICALCVSS 9.8EG 9.62024-06-06
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/u…
- CVE-2024-31162HIGHCVSS 7.2EG 7.22024-06-14
The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the devic…
- CVE-2024-3121LOWCVSS 3.3EG 6.82024-06-24
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker …
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →