← Back
CWE-78

5,964 CVEs • Abstraction: Base • Likelihood of Exploit: High

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

JSON object

Loading...

CVEs (5,964)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2024-50809
-
-
Nov 18, 2024
Nov 8, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
The theme.php file in SDCMS 2.8 has a command execution vulnerability that allows for the execution of system commands
CVE-2024-45763
1Dell
1Enterprise Sonic Distribution
Nov 13, 2024
Nov 8, 2024
N/A· v4
7.2 HIGH· v3
N/A· v2
Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access cou...Show more
Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.Show less
CVE-2024-45765
1Dell
1Enterprise Sonic Distribution
Nov 13, 2024
Nov 8, 2024
N/A· v4
7.2 HIGH· v3
N/A· v2
Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access cou...Show more
Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability as it allows high privilege OS commands to be executed with a less privileged role; so Dell recommends customers to upgrade at the earliest opportunity.Show less
CVE-2020-8007
-
-
Nov 4, 2025
Nov 8, 2024
N/A· v4
9.8 CRITICAL· v3
N/A· v2
The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip.
CVE-2024-10966
1Totolink
1X18 Firmware
Dec 16, 2024
Nov 7, 2024
5.3 MEDIUM· v4
8.8 HIGH· v3
6.5 MEDIUM· v2
A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the arg...Show more
A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-48954
1Logpoint
1Siem
Apr 30, 2025
Nov 7, 2024
N/A· v4
6.4 MEDIUM· v3
N/A· v2
An issue was discovered in Logpoint before 7.5.0. Unvalidated input during the EventHub Collector setup by an authenticated user leads to Remote Code execution.
CVE-2024-10919
1Didi
1Super Jacoco
Nov 8, 2024
Nov 6, 2024
5.3 MEDIUM· v4
9.8 CRITICAL· v3
6.5 MEDIUM· v2
A vulnerability has been found in didi Super-Jacoco 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /cov/triggerUnitCover. The manipulation of the argument uuid lead...Show more
A vulnerability has been found in didi Super-Jacoco 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /cov/triggerUnitCover. The manipulation of the argument uuid leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-10915
1Dlink
4Dns 320 Firmware
Dns 320lw FirmwareDns 325 Firmware+1 more
Nov 8, 2024
Nov 6, 2024
9.2 CRITICAL· v4
9.8 CRITICAL· v3
7.6 HIGH· v2
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi...Show more
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-10914
1Dlink
4Dns 320 Firmware
Dns 320lw FirmwareDns 325 Firmware+1 more
Nov 24, 2024
Nov 6, 2024
9.2 CRITICAL· v4
9.8 CRITICAL· v3
7.6 HIGH· v2
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr....Show more
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.Show less
CVE-2023-29120
1Enelx
1Waybox Pro Firmware
Nov 8, 2024
Nov 5, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
Waybox Enel X web management application could be used to execute arbitrary OS commands and provide administrator’s privileges over the Waybox system.
CVE-2024-52021
1Netgear
1R8500 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at bsw_fix.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request...Show more
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at bsw_fix.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-52020
1Netgear
1R8500 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at wiz_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted reques...Show more
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at wiz_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-52019
1Netgear
1R8500 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted requ...Show more
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-52018
1Netgear
1Xr300 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at genie_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted reques...Show more
Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at genie_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-51024
1Dlink
1Dir 823g Firmware
May 7, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the HostName parameter in the SetWanSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a c...Show more
D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the HostName parameter in the SetWanSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-51023
1Dlink
1Dir 823g Firmware
May 7, 2025
Nov 5, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the Address parameter in the SetNetworkTomographySettings function. This vulnerability allows attackers to execute arbitrary OS com...Show more
D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the Address parameter in the SetNetworkTomographySettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-51021
1Netgear
3R6400v2 Firmware
R7000p FirmwareXr300 Firmware
May 21, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 was discovered to contain a command injection vulnerability via the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execu...Show more
Netgear XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 was discovered to contain a command injection vulnerability via the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-51010
1Netgear
4R6400v2 Firmware
R7000p FirmwareR8500 Firmware+1 more
May 21, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component ap_mode.cgi via the apmode_gateway parameter. This vulner...Show more
Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component ap_mode.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.Show less
CVE-2024-51009
1Netgear
1R8500 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at ether.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.
CVE-2024-51008
1Netgear
1Xr300 Firmware
May 2, 2025
Nov 5, 2024
N/A· v4
8.0 HIGH· v3
N/A· v2
Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at wiz_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.