Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-37861 1Phoenixcontact 6Wp 6070 Wvps Firmware Wp 6101 Wxps FirmwareWp 6121 Wxps Firmware+3 more Jun 17, 2026 Aug 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated remote attacker can execute code with root permissions with a specially crafted HTTP POST when uploading a certificate to the dev...Show more In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated remote attacker can execute code with root permissions with a specially crafted HTTP POST when uploading a certificate to the device.Show less
CVE-2023-37569 1Esds.co 1Emagic Data Center Management Jun 17, 2026 Aug 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 This vulnerability exists in ESDS Emagic Data Center Management Suit due to lack of input sanitization in its Ping component. A remote authenticated attacker could exploit this by injecting OS commands on the targeted sy...Show more This vulnerability exists in ESDS Emagic Data Center Management Suit due to lack of input sanitization in its Ping component. A remote authenticated attacker could exploit this by injecting OS commands on the targeted system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on targeted system.Show less
CVE-2023-3573 1Phoenixcontact 6Wp 6070 Wvps Firmware Wp 6101 Wxps FirmwareWp 6121 Wxps Firmware+3 more Jun 17, 2026 Aug 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges may use a command injection in a HTTP POST request releated to font configuration operations to gain full ac...Show more In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges may use a command injection in a HTTP POST request releated to font configuration operations to gain full access to the device.Show less
CVE-2023-3572 1Phoenixcontact 6Wp 6070 Wvps Firmware Wp 6101 Wxps FirmwareWp 6121 Wxps Firmware+3 more Jun 17, 2026 Aug 8, 2023 N/A· v4 9.9 CRITICAL· v3 N/A· v2 In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote, unauthenticated attacker may use an attribute of a specific HTTP POST request releated to date/time operations to gain full access to th...Show more In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote, unauthenticated attacker may use an attribute of a specific HTTP POST request releated to date/time operations to gain full access to the device.Show less
CVE-2023-3571 1Phoenixcontact 6Wp 6070 Wvps Firmware Wp 6101 Wxps FirmwareWp 6121 Wxps Firmware+3 more Jun 17, 2026 Aug 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges may use a specific HTTP POST releated to certificate operations to gain full access to the device.
CVE-2023-3570 1Phoenixcontact 6Wp 6070 Wvps Firmware Wp 6101 Wxps FirmwareWp 6121 Wxps Firmware+3 more Jun 17, 2026 Aug 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges may use a specific HTTP DELETE request to gain full access to the device.
CVE-2023-38692 1Fit2cloud 1Cloudexplorer Lite Jun 17, 2026 Aug 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been...Show more CloudExplorer Lite is an open source, lightweight cloud management platform. Versions prior to 1.3.1 contain a command injection vulnerability in the installation function in module management. The vulnerability has been fixed in v1.3.1. There are no known workarounds aside from upgrading.Show less
CVE-2023-33377 1Connectedio 1Connected Io Jun 17, 2026 Aug 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Connected IO v2.1.0 and prior has an OS command injection vulnerability in the set firewall command in part of its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
CVE-2023-33374 1Connectedio 1Connected Io Jun 17, 2026 Aug 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality m...Show more Connected IO v2.1.0 and prior has a command as part of its communication protocol allowing the management platform to specify arbitrary OS commands for devices to execute. Attackers abusing this dangerous functionality may issue all devices OS commands to execute, resulting in arbitrary remote command execution.Show less
CVE-2023-33364 1Supremainc 1Biostar 2 Jun 17, 2026 Aug 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server.
CVE-2023-21411 1Axis 1License Plate Verifier Jun 17, 2026 Aug 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 User provided input is not sanitized in the “Settings > Access Control” configuration interface allowing for arbitrary code execution.
CVE-2023-21410 1Axis 1License Plate Verifier Jun 17, 2026 Aug 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 User provided input is not sanitized on the AXIS License Plate Verifier specific “api.cgi” allowing for arbitrary code execution.
CVE-2023-26317 1Mi 1Xiaomi Router Firmware Jun 17, 2026 Aug 2, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to...Show more Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.Show less
CVE-2023-31425 1Broadcom 1Fabric Operating System Jun 17, 2026 Aug 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking t...Show more A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled.Show less
CVE-2023-4033 1Lfprojects 1Mlflow Jun 17, 2026 Aug 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
CVE-2023-35861 1Supermicro 165H12dgo 6 Firmware H12dgq Nt6 FirmwareH12dsg O Cpu Firmware+162 more Jun 17, 2026 Jul 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A shell-injection vulnerability in email notifications on Supermicro motherboards (such as H12DST-B before 03.10.35) allows remote attackers to inject execute arbitrary commands as root on the BMC.
CVE-2023-35019 1Ibm 1Security Verify Governance Jun 17, 2026 Jul 31, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Security Verify Governance, Identity Manager 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 257873.
CVE-2023-37213 1Synel 1Synergy/a Firmware Jun 17, 2026 Jul 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection'
CVE-2023-3975 1Diagrams 1Drawio Jun 17, 2026 Jul 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
CVE-2023-3974 1Diagrams 1Drawio Jun 17, 2026 Jul 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

Previous 1...145146147...299 Next