Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-3314 1Trellix 1Enterprise Security Manager Jun 17, 2026 Jul 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability arises out of a failure to comprehensively sanitize the processing of a zip file(s). Incomplete neutralization of external commands used to control the process execution of the .zip application allows an...Show more A vulnerability arises out of a failure to comprehensively sanitize the processing of a zip file(s). Incomplete neutralization of external commands used to control the process execution of the .zip application allows an authorized user to obtain control of the .zip application to execute arbitrary commands or obtain elevation of system privileges. Show less
CVE-2023-3313 1Trellix 1Enterprise Security Manager Jun 17, 2026 Jul 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An OS common injection vulnerability exists in the ESM certificate API, whereby incorrectly neutralized special elements may have allowed an unauthorized user to execute system command injection for the purpose of privi...Show more An OS common injection vulnerability exists in the ESM certificate API, whereby incorrectly neutralized special elements may have allowed an unauthorized user to execute system command injection for the purpose of privilege escalation or to execute arbitrary commands. Show less
CVE-2023-22816 1Westerndigital 1My Cloud Os Jun 17, 2026 Jun 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affec...Show more A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affects My Cloud OS 5 devices: before 5.26.300.Show less
CVE-2023-22815 1Westerndigital 1My Cloud Os Jun 17, 2026 Jun 30, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability...Show more Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.Show less
CVE-2023-32622 1Wavlink 1Wl Wn531ax2 Firmware Jun 17, 2026 Jun 30, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper neutralization of special elements in WL-WN531AX2 firmware versions prior to 2023526 allows an attacker with an administrative privilege to execute OS commands with the root privilege.
CVE-2023-36143 1Maxprintisp 1Maxlink 1200g Firmware Jun 17, 2026 Jun 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool" functionality of the device.
CVE-2022-44720 1Ucopia 1Wireless Appliance Firmware Jun 17, 2026 Jun 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Weblib Ucopia before 6.0.13. OS Command Injection injection can occur, related to chroot.
CVE-2023-26613 1Dlink 1Dir 823g Firmware Jun 17, 2026 Jun 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability in D-Link DIR-823G firmware version 1.02B05 allows unauthorized attackers to execute arbitrary operating system commands via a crafted GET request to EXCU_SHELL.
CVE-2023-3450 1Ruijie 1Rg Bcr860 Firmware Jun 17, 2026 Jun 28, 2023 N/A· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in Ruijie RG-BCR860 2.5.13 and classified as critical. This issue affects some unknown processing of the component Network Diagnostic Page. The manipulation leads to os command injection. The at...Show more A vulnerability was found in Ruijie RG-BCR860 2.5.13 and classified as critical. This issue affects some unknown processing of the component Network Diagnostic Page. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232547. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-2625 1Abb 1Txpert Hub Coretec 4 Firmware Jun 17, 2026 Jun 28, 2023 N/A· v4 8.0 HIGH· v3 N/A· v2 A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacke...Show more A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.Show less
CVE-2023-26134 1Git Commit Info Project 1Git Commit Info Jun 17, 2026 Jun 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive c...Show more Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.Show less
CVE-2023-3333 1Nec 17Aterm Wf300hp Firmware Aterm Wg1400hp FirmwareAterm Wg1800hp2 Firmware+14 more Jun 17, 2026 Jun 28, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N,...Show more Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allows a attacker to execute an arbitrary OS command with the root privilege, after obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities.Show less
CVE-2023-34420 1Lenovo 1Xclarity Administrator Jun 17, 2026 Jun 26, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API.
CVE-2023-30261 1Openwb 1Openwb Jun 17, 2026 Jun 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Command Injection vulnerability in OpenWB 1.6 and 1.7 allows remote attackers to run arbitrary commands via crafted GET request.
CVE-2023-34254 1Glpi Project 1Glpi Agent Jun 17, 2026 Jun 23, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a comm...Show more The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.Show less
CVE-2023-30258 1Magnussolution 1Magnusbilling Jun 17, 2026 Jun 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
CVE-2023-35174 1Livebook 1Livebook Jun 17, 2026 Jun 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code exec...Show more Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3. Show less
CVE-2023-24261 1Gl Inet 1Gl E750 Firmware Jun 17, 2026 Jun 21, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability in GL.iNET GL-E750 Mudi before firmware v3.216 allows authenticated attackers to execute arbitrary code via a crafted POST request.
CVE-2023-33869 1Enphase 1Envoy Firmware Jun 17, 2026 Jun 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands.
CVE-2023-27992 1Zyxel 3Nas326 Firmware Nas540 FirmwareNas542 Firmware Jun 17, 2026 Jun 19, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG...Show more The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.Show less

Previous 1...148149150...299 Next