Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,885)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-2152 1Buffalo Inc 1Wnc01wh Firmware May 13, 2026 Apr 28, 2017 N/A· v4 6.8 MEDIUM· v3 5.2 MEDIUM· v2 WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-2141 1Iodata 1Wn G300r3 Firmware May 13, 2026 Apr 28, 2017 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 WN-G300R3 firmware 1.03 and earlier allows attackers with administrator rights to execute arbitrary OS commands via unspecified vectors.
CVE-2017-2128 1Information Technology Promotion Agency 1Introduction To Safe Website Operation May 13, 2026 Apr 28, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Security guide for website operators allows remote attackers to execute arbitrary OS commands via specially crafted saved data.
CVE-2017-2112 1Iodata 7Ts Ptcam/poe Firmware Ts Ptcam FirmwareTs Wlc2 Firmware+4 more May 13, 2026 Apr 28, 2017 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM fir...Show more TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.Show less
CVE-2017-2096 1Smalruby 1Smalruby Editor May 13, 2026 Apr 28, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 smalruby-editor v0.4.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-8220 1Tp Link 2C20i Firmware C2 Firmware May 13, 2026 Apr 25, 2017 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data.
CVE-2017-3506 1Oracle 1Weblogic Server Apr 22, 2026 Apr 24, 2017 N/A· v4 7.4 HIGH· v3 5.8 MEDIUM· v2 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to e...Show more Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).Show less
CVE-2017-8051 1Tenable 1Appliance May 13, 2026 Apr 21, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject...Show more Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.Show less
CVE-2016-8721 1Moxa 1Awk 3131a Firmware May 13, 2026 Apr 20, 2017 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command...Show more An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.Show less
CVE-2017-7690 1Proxifier 1Proxifier May 13, 2026 Apr 14, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Proxifier for Mac before 2.19.2, when first run, allows local users to gain privileges by replacing the KLoader binary with a Trojan horse program.
CVE-2016-5313 1Symantec 1Web Gateway May 13, 2026 Apr 12, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Symantec Web Gateway (SWG) before 5.2.5 allows remote authenticated users to execute arbitrary OS commands.
CVE-2017-6606 1Cisco 1Ios Xe May 13, 2026 Apr 7, 2017 N/A· v4 6.4 MEDIUM· v3 6.9 MEDIUM· v2 A vulnerability in a startup script of Cisco IOS XE Software could allow an unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the underlying operating system with the p...Show more A vulnerability in a startup script of Cisco IOS XE Software could allow an unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the underlying operating system with the privileges of the root user. More Information: CSCuz06639 CSCuz42122. Known Affected Releases: 15.6(1.1)S 16.1.2 16.2.0 15.2(1)E. Known Fixed Releases: Denali-16.1.3 16.2(1.8) 16.1(2.61) 15.6(2)SP 15.6(2)S1 15.6(1)S2 15.5(3)S3a 15.5(3)S3 15.5(2)S4 15.5(1)S4 15.4(3)S6a 15.4(3)S6 15.3(3)S8a 15.3(3)S8 15.2(5)E 15.2(4)E3 15.2(3)E5 15.0(2)SQD3 15.0(1.9.2)SQD3 3.9(0)E.Show less
CVE-2017-6602 1Cisco 2Firepower Extensible Operating System Unified Computing System May 13, 2026 Apr 7, 2017 N/A· v4 4.4 MEDIUM· v3 3.6 LOW· v2 A vulnerability in the CLI of Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local att...Show more A vulnerability in the CLI of Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb66189 CSCvb86775. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1742) 92.1(1.1658) 2.1(1.38) 2.0(1.107) 2.0(1.87) 1.1(4.148) 1.1(4.138).Show less
CVE-2017-6601 1Cisco 2Firepower Extensible Operating System Unified Computing System May 13, 2026 Apr 7, 2017 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local...Show more A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61384 CSCvb86764. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1647).Show less
CVE-2017-6600 1Cisco 2Firepower Extensible Operating System Unified Computing System May 13, 2026 Apr 7, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local...Show more A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61351 CSCvb61637. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1645) 2.0(1.82) 1.1(4.136.Show less
CVE-2017-6597 1Cisco 2Firepower Extensible Operating System Unified Computing System May 13, 2026 Apr 7, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the local-mgmt CLI command of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an a...Show more A vulnerability in the local-mgmt CLI command of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61394 CSCvb86816. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1658) 2.0(1.115).Show less
CVE-2016-10320 1Textract Project 1Textract May 13, 2026 Apr 6, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 textract before 1.5.0 allows OS Command Injection attacks via a filename in a call to the process function. This may be a remote attack if a web application accepts names of arbitrary uploaded files.
CVE-2017-6884 1Zyxel 1Emg2926 Firmware Apr 21, 2026 Apr 6, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user...Show more A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.Show less
CVE-2016-9091 1Bluecoat 2Advanced Secure Gateway Content Analysis System Software May 13, 2026 Apr 5, 2017 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execu...Show more Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.Show less
CVE-2017-7414 1Horde 1Groupware May 13, 2026 Apr 4, 2017 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP s...Show more In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.Show less

Previous 1...281282283...295 Next