Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-25923 1Exec Local Bin Project 1Exec Local Bin Apr 10, 2025 Jan 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.
CVE-2022-44877 1Control Webpanel 1Webpanel Nov 3, 2025 Jan 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
CVE-2022-43538 1Arubanetworks 1Clearpass Policy Manager Apr 10, 2025 Jan 5, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arb...Show more Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. Show less
CVE-2022-43537 1Arubanetworks 1Clearpass Policy Manager Apr 10, 2025 Jan 5, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arb...Show more Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. Show less
CVE-2022-43536 1Arubanetworks 1Clearpass Policy Manager Apr 10, 2025 Jan 5, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arb...Show more Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. Show less
CVE-2022-25926 1Window Control Project 1Window Control Apr 10, 2025 Jan 4, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization.
CVE-2022-39947 1Fortinet 1Fortiadc Nov 21, 2024 Jan 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through...Show more A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests.Show less
CVE-2022-35845 1Fortinet 1Fortitester Nov 21, 2024 Jan 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, 2.3.0 through 3.9.1 may allow an a...Show more Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, 2.3.0 through 3.9.1 may allow an authenticated attacker to execute arbitrary commands in the underlying shell.Show less
CVE-2022-46304 1Changingtec 1Servisign Nov 21, 2024 Jan 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 ChangingTec ServiSign component has insufficient filtering for special characters in the connection response parameter. An unauthenticated remote attacker can host a malicious website for the component user to access, wh...Show more ChangingTec ServiSign component has insufficient filtering for special characters in the connection response parameter. An unauthenticated remote attacker can host a malicious website for the component user to access, which triggers command injection and allows the attacker to execute arbitrary system command to perform arbitrary system operation or disrupt service.Show less
CVE-2022-40740 1Realtek 2Usdk Xpon Software Development Kit Nov 21, 2024 Jan 3, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Realtek GPON router has insufficient filtering for special characters. A remote attacker authenticated as an administrator can exploit this vulnerability to perform command injection attacks, to execute arbitrary system...Show more Realtek GPON router has insufficient filtering for special characters. A remote attacker authenticated as an administrator can exploit this vulnerability to perform command injection attacks, to execute arbitrary system command, manipulate system or disrupt service.Show less
CVE-2022-46598 1Trendnet 1Tew 755ap Firmware Apr 11, 2025 Dec 30, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function.
CVE-2022-46597 1Trendnet 1Tew 755ap Firmware Apr 11, 2025 Dec 30, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function.
CVE-2021-4281 1Forthebadge 1For The Badge Nov 21, 2024 Dec 26, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability was found in Brave UX for-the-badge and classified as critical. Affected by this issue is some unknown functionality of the file .github/workflows/combine-prs.yml. The manipulation leads to os command inj...Show more A vulnerability was found in Brave UX for-the-badge and classified as critical. Affected by this issue is some unknown functionality of the file .github/workflows/combine-prs.yml. The manipulation leads to os command injection. The name of the patch is 55b5a234c0fab935df5fb08365bc8fe9c37cf46b. It is recommended to apply a patch to fix this issue. VDB-216842 is the identifier assigned to this vulnerability.Show less
CVE-2022-40005 1Intelbras 1Wifiber 120ac Inmesh Firmware Apr 14, 2025 Dec 25, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.
CVE-2022-45717 1Ip Com 1M50 Firmware Apr 15, 2025 Dec 23, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function. This vulnerability is exploited via a crafted GET re...Show more IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function. This vulnerability is exploited via a crafted GET request.Show less
CVE-2022-45711 1Ip Com 1M50 Firmware Apr 15, 2025 Dec 23, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the hostname parameter in the formSetNetCheckTools function.
CVE-2022-45709 1Ip Com 1M50 Firmware Apr 15, 2025 Dec 23, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple command injection vulnerabilities via the pEnable, pLevel, and pModule parameters in the formSetDebugCfg function.
CVE-2022-44567 1Rocketchat 1Rocket.chat Apr 15, 2025 Dec 23, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution...Show more A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.Show less
CVE-2021-32692 1Activitywatch 1Activitywatch Nov 21, 2024 Dec 23, 2022 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vul...Show more Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.Show less
CVE-2022-3183 1Dataprobe 12Iboot Pdu4 N20 Firmware Iboot Pdu4a N15 FirmwareIboot Pdu4a N20 Firmware+9 more Nov 21, 2024 Dec 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerab...Show more Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability. Show less

Previous 1...161162163...299 Next