Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-20275 1Cisco 1Secure Firewall Management Center Aug 5, 2025 Oct 23, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A vulnerability in the cluster backup feature of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary c...Show more A vulnerability in the cluster backup feature of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. This vulnerability is due to insufficient validation of user data that is supplied through the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute arbitrary operating system commands on the affected device. To exploit this vulnerability, an attacker would need valid credentials for a user account with at least the role of Network Administrator. In addition, the attacker would need to persuade a legitimate user to initiate a cluster backup on the affected device.Show less
CVE-2024-47901 1Siemens 2Intermesh 7177 Hybrid 2.0 Subscriber Intermesh 7707 Fire Subscriber Firmware Oct 30, 2024 Oct 23, 2024 10.0 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default c...Show more A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.Show less
CVE-2024-10202 1Wellchoose 1Administrative Management System Oct 24, 2024 Oct 21, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Administrative Management System from Wellchoose has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands.
CVE-2024-10119 1Zte 1Wrtm326 Firmware Nov 1, 2024 Oct 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests.
CVE-2024-10118 - - Oct 18, 2024 Oct 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device...Show more SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.Show less
CVE-2024-49281 1Ninjateam 1Click To Chat Apr 23, 2026 Oct 17, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Ninja Team Click to Chat – WP Support All-in-One Floating Widget support-chat allows Stored XSS.This issue affec...Show more Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Ninja Team Click to Chat – WP Support All-in-One Floating Widget support-chat allows Stored XSS.This issue affects Click to Chat – WP Support All-in-One Floating Widget: from n/a through <= 2.3.3.Show less
CVE-2024-48638 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SubnetMask parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attacke...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SubnetMask parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48637 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to exe...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48636 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to exe...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48635 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to exe...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48634 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48633 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtu...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtualServerSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48632 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings functi...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48631 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execut...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48630 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execut...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-48629 1Dlink 2Dir 878 Firmware Dir 882 Firmware May 7, 2025 Oct 17, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attacker...Show more D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.Show less
CVE-2024-6333 - - Sep 17, 2025 Oct 17, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products.
CVE-2005-10003 1Mikexstudios 1Xcomic Nov 14, 2024 Oct 17, 2024 6.3 MEDIUM· v4 9.8 CRITICAL· v3 5.1 MEDIUM· v2 A vulnerability classified as critical has been found in mikexstudios Xcomic up to 0.8.2. This affects an unknown part. The manipulation of the argument cmd leads to os command injection. It is possible to initiate the a...Show more A vulnerability classified as critical has been found in mikexstudios Xcomic up to 0.8.2. This affects an unknown part. The manipulation of the argument cmd leads to os command injection. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 0.8.3 is able to address this issue. The patch is named 6ed8e3cc336e29f09c7e791863d0559939da98bf. It is recommended to upgrade the affected component.Show less
CVE-2024-20461 1Cisco 2Ata 191 Firmware Ata 192 Firmware Oct 22, 2024 Oct 16, 2024 N/A· v4 6.0 MEDIUM· v3 N/A· v2 A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerab...Show more A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerability exists because CLI input is not properly sanitized. An attacker could exploit this vulnerability by sending malicious characters to the CLI. A successful exploit could allow the attacker to read and write to the underlying operating system as the root user.Show less
CVE-2024-20459 1Cisco 2Ata 191 Firmware Ata 192 Firmware Oct 22, 2024 Oct 16, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco ATA 190 Multiplatform Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with high privileges to execute arbitrary comman...Show more A vulnerability in the web-based management interface of Cisco ATA 190 Multiplatform Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with high privileges to execute arbitrary commands as the root user on the underlying operating system. This vulnerability is due to a lack of input sanitization in the web-based management interface. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user.Show less

Previous 1...101102103...299 Next