Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-45721 - - Dec 23, 2024 Dec 23, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain an OS command injection vulnerability in the HOST name configuration screen. An arbitrary OS command may be executed with the root privilege by an admi...Show more home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain an OS command injection vulnerability in the HOST name configuration screen. An arbitrary OS command may be executed with the root privilege by an administrative user.Show less
CVE-2020-13712 - - Dec 26, 2024 Dec 20, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A command injection is possible through the user interface, allowing arbitrary command execution as the root user. oMG2000 running MGOS 3.15.1 or earlier is affected. MG90 running MGOS 4.2.1 or earlier is affected.
CVE-2024-28767 1Ibm 1Security Directory Integrator Aug 15, 2025 Dec 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Security Directory Integrator 7.2.0 through 7.2.0.13 and 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
CVE-2024-12829 1Arista 1Ng Firewall Jan 3, 2025 Dec 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Arista NG Firewall ExecManagerImpl Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authenticati...Show more Arista NG Firewall ExecManagerImpl Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExecManagerImpl class. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24015.Show less
CVE-2021-26115 1Fortinet 1Fortiwan Jan 21, 2025 Dec 19, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An OS command injection (CWE-78) vulnerability in FortiWAN version 4.5.7 and below Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a sp...Show more An OS command injection (CWE-78) vulnerability in FortiWAN version 4.5.7 and below Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.An OS command injection (CWE-78) vulnerability in FortiWAN Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.Show less
CVE-2023-23356 1Qnap 1Qufirewall Sep 24, 2025 Dec 19, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary...Show more A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QuFirewall 2.3.3 ( 2023/03/27 ) and later and laterShow less
CVE-2024-12686 1Beyondtrust 2Privileged Remote Access Remote Support Oct 24, 2025 Dec 18, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.
CVE-2024-48889 1Fortinet 2Fortimanager Fortimanager Cloud Nov 13, 2025 Dec 18, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and bel...Show more An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and below, version 6.4.14 and below and FortiManager Cloud version 7.4.4 and below, version 7.2.7 to 7.2.1, version 7.0.12 to 7.0.1 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.Show less
CVE-2024-53688 - - Dec 18, 2024 Dec 18, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier, which may allow a...Show more Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier, which may allow a logged-in user to execute an arbitrary OS command using a crafted HTTP request.Show less
CVE-2024-31668 1Rizin 1Rizin Jul 3, 2025 Dec 17, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 rizin before v0.6.3 is vulnerable to Improper Neutralization of Special Elements via meta_set function in librz/analysis/meta.
CVE-2024-53376 1Cyberpanel 1Cyberpanel Sep 5, 2025 Dec 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the phpSelection field to the websites/submitWebsiteCreation URI.
CVE-2024-11858 1Radare 1Radare2 Aug 5, 2025 Dec 15, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during co...Show more A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processingShow less
CVE-2024-48008 1Dell 1Recoverpoint For Virtual Machines Feb 4, 2025 Dec 13, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Dell RecoverPoint for Virtual Machines 6.0.x contains a OS Command Injection vulnerability. An Low privileged remote attacker could potentially exploit this vulnerability leading to information disclosure ,allowing of un...Show more Dell RecoverPoint for Virtual Machines 6.0.x contains a OS Command Injection vulnerability. An Low privileged remote attacker could potentially exploit this vulnerability leading to information disclosure ,allowing of unintended actions like reading files that may contain sensitive informationShow less
CVE-2024-22461 1Dell 1Recoverpoint For Virtual Machines Feb 4, 2025 Dec 13, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gainin...Show more Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system.Show less
CVE-2024-52058 1Rti 1Connext Professional Oct 2, 2025 Dec 13, 2024 8.6 HIGH· v4 7.8 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext Professional (System Designer) allows OS Command Injection.This issue affects Connext Professional:...Show more Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext Professional (System Designer) allows OS Command Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.19.Show less
CVE-2024-54008 - - Dec 11, 2024 Dec 10, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An authenticated Remote Code Execution (RCE) vulnerability exists in the AirWave CLI. Successful exploitation of this vulnerability could allow a remote authenticated threat actor to run arbitrary commands as a privilege...Show more An authenticated Remote Code Execution (RCE) vulnerability exists in the AirWave CLI. Successful exploitation of this vulnerability could allow a remote authenticated threat actor to run arbitrary commands as a privileged user on the underlying host.Show less
CVE-2024-28138 - - Nov 3, 2025 Dec 10, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sa...Show more An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.Show less
CVE-2024-12358 1Datax Web Project 1Datax Web Dec 10, 2024 Dec 9, 2024 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injecti...Show more A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-47115 1Ibm 2Aix Vios Jan 21, 2025 Dec 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM AIX 7.2, 7.3 and VIOS 3.1 and 4.1 could allow a local user to execute arbitrary commands on the system due to improper neutralization of input.
CVE-2024-52320 - - Dec 6, 2024 Dec 6, 2024 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.

Previous 1...929394...299 Next