Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,947)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2003-0041 3Mandrakesoft MitRedhat 4Kerberos Ftp Client LinuxMandrake Linux+1 more Apr 16, 2026 Feb 19, 2003 N/A· v4 N/A· v3 10.0 HIGH· v2 Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (\|) character in a filename that is retrieved by the client.
CVE-2002-1898 1Apple 1Terminal Apr 16, 2026 Dec 31, 2002 N/A· v4 N/A· v3 7.2 HIGH· v2 Terminal 1.3 in Apple Mac OS X 10.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a telnet:// link, which is executed by Terminal.app window.
CVE-2002-1660 1Jelsoft 1Vbulletin Apr 16, 2026 Dec 31, 2002 N/A· v4 N/A· v3 7.5 HIGH· v2 calendar.php in vBulletin before 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the command parameter.
CVE-2002-0061 1Apache 1Http Server Apr 16, 2026 Mar 21, 2002 N/A· v4 N/A· v3 7.5 HIGH· v2 Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a \| pipe character) provided as arguments to batch (.bat) or .cmd scripts, whi...Show more Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a \| pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.Show less
CVE-2001-1583 1Sun 1Sunos Apr 16, 2026 Dec 31, 2001 N/A· v4 N/A· v3 10.0 HIGH· v2 lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this mi...Show more lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.Show less
CVE-1999-0043 6Bsdi CalderaIsc+3 more 7Bsd Os Goah IntrasvGoah Networksv+4 more Apr 16, 2026 Dec 4, 1996 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.
CVE-1999-0067 2Apache Ncsa 2Http Server Ncsa Httpd Apr 16, 2026 Mar 20, 1996 N/A· v4 N/A· v3 10.0 HIGH· v2 phf CGI program allows remote command execution through shell metacharacters.

Previous 1...294 295 296 297298