Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-22836 1Akaunting 1Akaunting Jun 20, 2025 Feb 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.
CVE-2024-24091 1Yealink 1Yealink Meeting Server Nov 21, 2024 Feb 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.
CVE-2023-47618 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command execution vulnerability exists in the web filtering functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbi...Show more A post authentication command execution vulnerability exists in the web filtering functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-47617 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command injection vulnerability exists when configuring the web group member of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to a...Show more A post authentication command injection vulnerability exists when configuring the web group member of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-47209 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command injection vulnerability exists in the ipsec policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbit...Show more A post authentication command injection vulnerability exists in the ipsec policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-47167 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command injection vulnerability exists in the GRE policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitra...Show more A post authentication command injection vulnerability exists in the GRE policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-46683 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request c...Show more A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection . An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-43482 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execu...Show more A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-42664 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post authentication command injection vulnerability exists when setting up the PPTP global configuration of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can l...Show more A post authentication command injection vulnerability exists when setting up the PPTP global configuration of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2023-36498 1Tp Link 1Er7206 Firmware Nov 4, 2025 Feb 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitr...Show more A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell.Show less
CVE-2023-46359 1Hardy Barth 1Cph2 Echarge Firmware Nov 21, 2024 Feb 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted argum...Show more An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.Show less
CVE-2024-23109 1Fortinet 1Fortisiem Jan 14, 2026 Feb 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.
CVE-2024-23108 1Fortinet 1Fortisiem Jan 14, 2026 Feb 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.
CVE-2023-5677 1Axis 11M3024 Lve Firmware M3025 Ve FirmwareM7014 Firmware+8 more May 15, 2025 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be...Show more Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more information and solution.Show less
CVE-2023-47567 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-47566 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-47562 1Qnap 1Photo Station Nov 21, 2024 Feb 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability...Show more An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later Show less
CVE-2023-45025 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vu...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-41283 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-41282 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later Show less

Previous 1...127128129...299 Next