Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-1698 1Wago 7Compact Controller 100 Firmware Edge Controller FirmwarePfc100 Firmware+4 more Jun 17, 2026 May 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system...Show more In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.Show less
CVE-2020-13378 1Loadbalancer 1Enterprise Va Max Jun 17, 2026 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Loadbalancer.org Enterprise VA MAX through 8.3.8 has an OS Command Injection vulnerability that allows a remote authenticated attacker to execute arbitrary code.
CVE-2022-29841 1Westerndigital 1My Cloud Os Jun 17, 2026 May 10, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without saniti...Show more Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119. Show less
CVE-2023-32568 1Veritas 1Infoscale Operations Manager Jun 17, 2026 May 10, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2.800 and 8.x before 8.0.410. The VIOM web application does not validate user-supplied data and appends it to OS commands and internal bin...Show more An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2.800 and 8.x before 8.0.410. The VIOM web application does not validate user-supplied data and appends it to OS commands and internal binaries used by the application. An attacker with root/administrator level privileges can leverage this to read sensitive data stored on the servers, modify data or server configuration, and delete data or application configuration.Show less
CVE-2023-27407 1Siemens 1Scalance Lpe9403 Firmware Jun 17, 2026 May 9, 2023 N/A· v4 9.9 CRITICAL· v3 N/A· v2 A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The web based management of affected device does not properly validate user input, making it susceptible to command injection. This could all...Show more A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The web based management of affected device does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as the root user.Show less
CVE-2023-2574 1Advantech 3Eki 1521 Firmware Eki 1522 FirmwareEki 1524 Firmware Jun 17, 2026 May 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.
CVE-2023-2573 1Advantech 3Eki 1521 Firmware Eki 1522 FirmwareEki 1524 Firmware Jun 17, 2026 May 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.
CVE-2023-29944 1Metersphere 1Metersphere Jun 17, 2026 May 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench
CVE-2023-2564 1Scanservjs Project 1Scanservjs Jun 17, 2026 May 7, 2023 N/A· v4 10.0 CRITICAL· v3 N/A· v2 OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.
CVE-2023-30054 1Totolink 1A7100ru Firmware Jun 17, 2026 May 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload.
CVE-2023-30053 1Totolink 1A7100ru Firmware Jun 17, 2026 May 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection.
CVE-2023-30013 1Totolink 1X5000r Firmware Jun 17, 2026 May 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "co...Show more TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.Show less
CVE-2023-2522 1Feiyuxing 1Vec40g Firmware Jun 17, 2026 May 4, 2023 N/A· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in Chengdu VEC40G 3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /send_order.cgi?parameter=access_detect of the component Network D...Show more A vulnerability was found in Chengdu VEC40G 3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /send_order.cgi?parameter=access_detect of the component Network Detection. The manipulation of the argument COUNT with the input 3 \| netstat -an leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228013 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-24958 1Ibm 33948 Ved Firmware 3957 Vec Firmware3957 Ved Firmware Jun 17, 2026 May 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in the IBM TS7700 Management Interface 8.51.2.12, 8.52.200.111, 8.52.102.13, and 8.53.0.63 could allow an authenticated user to submit a specially crafted URL leading to privilege escalation and remote co...Show more A vulnerability in the IBM TS7700 Management Interface 8.51.2.12, 8.52.200.111, 8.52.102.13, and 8.53.0.63 could allow an authenticated user to submit a specially crafted URL leading to privilege escalation and remote code execution. IBM X-Force ID: 246320.Show less
CVE-2023-27999 1Fortinet 1Fortiadc Jun 17, 2026 May 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically cra...Show more An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.Show less
CVE-2023-25826 1Opentsdb 1Opentsdb Jun 17, 2026 May 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit...Show more Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.Show less
CVE-2023-28742 1F5 1Big Ip Domain Name System Jun 17, 2026 May 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2023-29778 1Gl Inet 1Gl Mt3000 Firmware Jun 17, 2026 May 2, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.
CVE-2023-2479 1Appium 1Appium Desktop Jun 17, 2026 May 2, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
CVE-2023-22919 1Zyxel 1Nbg6604 Firmware Jun 17, 2026 May 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The post-authentication command injection vulnerability in the Zyxel NBG6604 firmware version V1.01(ABIR.0)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request.

Previous 1...151152153...299 Next