CWE-78— OS Command Injection
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.— MITRE CWE catalog
5,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 98 of 118
- CVE-2025-64153HIGHCVSS 7.2EG 7.22025-12-09
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions m…
- CVE-2025-64155CRITICALCVSS 9.8EG 9.82026-01-13
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM…
- CVE-2025-64328HIGHCVSS 7.2EG 9.0⚠ KEV2025-11-07
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore module within the Administrative interface is vulnerable to a post-authentication comman…
- CVE-2025-64340MEDIUMCVSS 6.7EG 6.72026-04-03
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp in…
- CVE-2025-64444HIGHCVSS 7.2EG 7.22025-11-14
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the ma…
- CVE-2025-64755CRITICALCVSS 9.8EG 9.82025-11-21
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been pat…
- CVE-2025-64756HIGHCVSS 7.5EG 7.52025-11-17
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution wh…
- CVE-2025-6485MEDIUMCVSS 6.3EG 6.32025-06-22
A vulnerability was found in TOTOLINK A3002R 1.1.1-B20200824.0128. It has been classified as critical. This affects the function formWlSiteSurvey of the file /boafrm/formWlSiteSurvey. The manipulation of the argument wlanif leads to os com…
- CVE-2025-65008CRITICALCVSS 9.4EG 9.42025-12-18
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about t…
- CVE-2025-65074HIGHCVSS 7.2EG 7.22025-12-16
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path trave…
- CVE-2025-6514CRITICALCVSS 9.6EG 9.62025-07-09
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL
- CVE-2025-65199HIGHCVSS 7.8EG 7.82025-12-10
A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function…
- CVE-2025-65202HIGHCVSS 8.0EG 8.02025-11-26
TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows an attacker to execute arbitrary comman…
- CVE-2025-6541HIGHCVSS 8.8EG 8.82025-10-21
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
- CVE-2025-6542CRITICALCVSS 9.8EG 9.82025-10-21
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
- CVE-2025-65480HIGHCVSS 8.8EG 8.82026-02-11
An issue was discovered in Pacom Unison Client 5.13.1. Authenticated users can inject malicious scripts in the Report Templates which are executed when certain script conditions are fulfilled, leading to Remote Code Execution.
- CVE-2025-6559CRITICALCVSS 9.8EG 9.82025-06-24
Multiple wireless router models from Sapido have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. The affected models are out of support; repl…
- CVE-2025-6562HIGHCVSS 8.8EG 8.82025-06-26
Certain hybrid DVR models (HBF-09KD and HBF-16NK) from Hunt Electronic have an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary OS commands and execute them on the device.
- CVE-2025-65882CRITICALCVSS 9.8EG 9.82025-12-09
An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary comma…
- CVE-2025-66052HIGHCVSS 7.2EG 7.22026-01-09
Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perf…
- CVE-2025-6618CRITICALCVSS 9.8EG 6.32025-06-25
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possi…
- CVE-2025-6619CRITICALCVSS 9.8EG 6.32025-06-25
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command i…
- CVE-2025-6620CRITICALCVSS 9.8EG 6.32025-06-25
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection…
- CVE-2025-66203CRITICALCVSS 9.9EG 9.92025-12-27
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dl…
- CVE-2025-66208CRITICALCVSS 9.8EG 9.82025-12-03
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Co…
- CVE-2025-66209CRITICALCVSS 9.9EG 9.92025-12-23
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with ap…
- CVE-2025-6621CRITICALCVSS 9.8EG 6.32025-06-25
A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to i…
- CVE-2025-66210HIGHCVSS 8.8EG 8.82025-12-23
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with ap…
- CVE-2025-66211HIGHCVSS 8.8EG 8.82025-12-23
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users …
- CVE-2025-66212HIGHCVSS 8.8EG 8.82025-12-23
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allo…
- CVE-2025-66213HIGHCVSS 8.8EG 8.82025-12-23
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality al…
- CVE-2025-66253CRITICALCVSS 9.8EG 9.82025-11-26
Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed di…
- CVE-2025-66261CRITICALCVSS 9.8EG 9.82025-11-26
Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name …
- CVE-2025-66273HIGHCVSS 7.2EG 7.22026-06-10
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have alre…
- CVE-2025-66279HIGHCVSS 7.2EG 7.22026-06-10
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have alre…
- CVE-2025-66398CRITICALCVSS 9.6EG 9.62026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint…
- CVE-2025-66401CRITICALCVSS 9.8EG 9.82025-12-01
MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user…
- CVE-2025-66572MEDIUMCVSS 6.9EG 6.92025-12-04
Loaded Commerce 6.6 contains a client-side template injection vulnerability via the search parameter that allows unauthenticated attackers to execute arbitrary code in the victim's browser context when they visit a crafted URL.
- CVE-2025-66576HIGHCVSS 8.9EG 9.82025-12-04
Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution.
- CVE-2025-66626HIGHCVSS 7.5EG 8.12025-12-09
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives.…
- CVE-2025-66644CRITICALCVSS 9.8EG 9.8⚠ KEV2025-12-05
Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
- CVE-2025-6704CRITICALCVSS 9.8EG 9.82025-07-21
An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combina…
- CVE-2025-67041CRITICALCVSS 9.8EG 9.82026-03-11
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary on…
- CVE-2025-67164CRITICALCVSS 9.9EG 9.92025-12-17
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-67172HIGHCVSS 7.2EG 7.22025-12-17
RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.
- CVE-2025-67264HIGHCVSS 7.8EG 7.82026-01-23
An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to inc…
- CVE-2025-67447CRITICALCVSS 9.8EG 9.82026-06-04
The network diagnosis (ping) module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's …
- CVE-2025-67640MEDIUMCVSS 5.0EG 5.02025-12-10
Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace dire…
- CVE-2025-6770HIGHCVSS 7.2EG 7.22025-07-08
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
- CVE-2025-6771HIGHCVSS 7.2EG 7.22025-07-08
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →