Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-4643 1Search 1Docconv Nov 21, 2024 Dec 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os comma...Show more A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.Show less
CVE-2022-24431 1Abacus Ext Cmdline Project 1Abacus Ext Cmdline Apr 15, 2025 Dec 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
CVE-2022-4515 2Debian Exuberant Ctags Project 2Debian Linux Exuberant Ctags Apr 14, 2025 Dec 20, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary co...Show more A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.Show less
CVE-2022-46538 1Tenda 1F1203 Firmware Apr 16, 2025 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac.
CVE-2022-40624 1Pfsense 1Pfblockerng Apr 17, 2025 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
CVE-2022-45942 1Baijiacms Project 1Baijiacms Apr 17, 2025 Dec 20, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.
CVE-2022-25171 1P4 Project 1P4 Apr 16, 2025 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The package p4 before 0.0.7 are vulnerable to Command Injection via the run() function due to improper input sanitization
CVE-2022-44456 1Contec 1Conprosys Hmi System Apr 17, 2025 Dec 19, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request.
CVE-2022-43466 1Buffalo 10Wex 1800ax4 Firmware Wex 1800ax4ea FirmwareWsr 2533dhp2 Firmware+7 more Apr 17, 2025 Dec 19, 2022 N/A· v4 6.8 MEDIUM· v3 N/A· v2 OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CG...Show more OS command injection vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command if a specially crafted request is sent to a specific CGI program.Show less
CVE-2022-43443 1Buffalo 11Wcr 1166ds Firmware Wsr 2533dhp2 FirmwareWsr 2533dhp3 Firmware+8 more Apr 17, 2025 Dec 19, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page.
CVE-2022-26582 1Paxtechnology 1Paydroid Nov 21, 2024 Dec 16, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit t...Show more PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.Show less
CVE-2022-26580 1Paxtechnology 1Paydroid Nov 21, 2024 Dec 16, 2022 N/A· v4 6.8 MEDIUM· v3 N/A· v2 PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the...Show more PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.Show less
CVE-2022-47210 1Netgear 1Rax30 Firmware Apr 17, 2025 Dec 16, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. T...Show more The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.Show less
CVE-2022-47208 1Netgear 6Nighthawk Ax11000 Firmware Nighthawk Ax1800 FirmwareNighthawk Ax2400 Firmware+3 more Apr 17, 2025 Dec 16, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 The “puhttpsniff” service, which runs by default, is susceptible to command injection due to improperly sanitized user input. An unauthenticated attacker on the same network segment as the router can execute arbitrary co...Show more The “puhttpsniff” service, which runs by default, is susceptible to command injection due to improperly sanitized user input. An unauthenticated attacker on the same network segment as the router can execute arbitrary commands on the device without authentication.Show less
CVE-2022-46634 1Totolink 1A7100ru Firmware Apr 21, 2025 Dec 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.
CVE-2022-46631 1Totolink 1A7100ru Firmware Apr 21, 2025 Dec 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.
CVE-2022-24377 1Cycle Import Check Project 1Cycle Import Check Apr 17, 2025 Dec 14, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.
CVE-2022-42140 1Deltaww 1Dx 2100 L1 Cn Firmware Apr 22, 2025 Dec 14, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Command Injection via lform/net_diagnose.
CVE-2022-42139 1Deltaww 1Dvw W02w2 E2 Firmware Apr 22, 2025 Dec 14, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.
CVE-2022-45005 1Ip Com 1Ew9 Firmware Apr 22, 2025 Dec 13, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the cmd_get_ping_output function.

Previous 1...162163164...299 Next