Skip to main content

OS Command Injection

web CRITICAL

OS command injection occurs when an application passes unsanitized user input directly into system shell commands.

How It Works

OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.

Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.

Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.

Impact

  • Complete server compromise — execute any command with the application's privileges, often www-data or root
  • Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
  • Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
  • Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
  • Denial of service — crash services, fill disk space, consume CPU resources
  • Supply chain attacks — modify application code or deployment artifacts to compromise downstream users

Real-World Examples

The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.

GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.

Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.

Mitigation

  • Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
  • Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
  • Parameterized execution APIs — use execve() or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely
  • Principle of least privilege — run application processes with minimal permissions to limit compromise impact
  • Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters

Recent CVEs (7746)

EPSS 0% CVSS 7.8
HIGH PATCH This Week

NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. [CVSS 7.8 HIGH]

Linux Industrial Denial Of Service +3
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arbitrary commands on their machine through unsanitized input. An attacker with local access could exploit this to compromise the affected system, though no patch is currently available.

Spring Command Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Webgrind 1.1 has unauthenticated command injection via the dataFile parameter in index.php. The profiling tool executes OS commands directly from URL parameters. PoC available.

PHP Command Injection Webgrind
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. [CVSS 8.8 HIGH]

Golang RCE Command Injection
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM This Month

A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. [CVSS 6.5 MEDIUM]

Command Injection Arubaos
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. [CVSS 7.2 HIGH]

Command Injection Arubaos
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. [CVSS 7.2 HIGH]

Command Injection Arubaos
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. [CVSS 7.2 HIGH]

Command Injection Arubaos
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Arbitrary code execution in Adobe Dreamweaver 21.6 and earlier via OS command injection allows attackers to execute arbitrary commands on affected systems when a victim opens a malicious file. The vulnerability requires local access and user interaction but impacts all confidentiality, integrity, and availability of the system. No patch is currently available.

Command Injection Dreamweaver
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Fortinet FortiSIEM (6.7.0 through 7.4.0) has OS command injection via crafted TCP requests. As a SIEM, compromise gives attackers access to all security logs and the ability to suppress alerts. PoC available.

Fortinet Command Injection Fortisiem
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

NETGEAR XR1000v2 routers are vulnerable to OS command injection through inadequate input validation, enabling attackers with LAN access to execute arbitrary commands with elevated privileges. The vulnerability affects authenticated users on the local network and could allow complete router compromise including data interception and network manipulation. A patch is available.

Netgear Command Injection Xr1000v2 Firmware
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Authenticated attackers on the same network can execute arbitrary OS commands on NETGEAR Orbi routers (RBS860, RBR850, RBSE950) through improper validation of DHCPv6 input. The vulnerability requires local or WiFi network access but no user interaction, giving attackers full system compromise capabilities on affected devices. A patch is available for this high-severity flaw.

Netgear Command Injection Rbs860 Firmware +11
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

NETGEAR Orbi routers (RBS850, RBE970, RBS750) are vulnerable to OS command injection through inadequate input validation, enabling attackers on the local network to execute arbitrary commands with elevated privileges. The vulnerability requires LAN access and low privileges but provides complete system compromise through high-impact code execution capabilities. A patch is available for affected firmware versions.

Netgear Command Injection Rbs850 Firmware +9
NVD
EPSS 1%
Monitor

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c.

Command Injection
NVD
EPSS 0% CVSS 8.4
HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Multi Tenant Hypervisor +3
NVD
EPSS 0% CVSS 8.4
HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Ecs Connection Manager +4
NVD
EPSS 1% CVSS 8.4
HIGH This Week

SAP Application Server for ABAP and NetWeaver RFCSDK contain an OS command injection vulnerability that allows authenticated administrators with adjacent network access to execute arbitrary system commands by uploading malicious content. Successful exploitation results in complete system compromise affecting confidentiality, integrity, and availability. No patch is currently available.

SAP Command Injection
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available.

SAP Java Command Injection +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

SAP S/4HANA (Private Cloud and On-Premise) has the same backdoor vulnerability as CVE-2026-0491 – admin-exploitable ABAP/OS command injection via RFC function module. Patch available.

SAP Command Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

SAP Landscape Transformation has an admin-exploitable backdoor via RFC function module that allows injection of arbitrary ABAP code and OS commands, bypassing authorization checks. Scope change enables full SAP system compromise.

SAP Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

orval (TypeScript API client generator) before 7.18.0 has code injection via OpenAPI specification summary fields in MCP server generation. Malicious API specs can inject arbitrary code into generated TypeScript. PoC available, patch available.

Command Injection RCE Orval
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

TinyWeb HTTP Server before 1.98 has OS command injection via CGI ISINDEX query parameters. The query string is passed as command-line arguments to CGI executables through Windows CreateProcess(), allowing unauthenticated RCE. Patch available.

Windows Command Injection Tinyweb
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Merit LILIN IP Camera models contain an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands on affected devices with high privileges. The vulnerability requires valid credentials but no user interaction, enabling complete compromise of device confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Command Injection
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Merit LILIN DVR/NVR devices allow authenticated remote attackers to execute arbitrary operating system commands through command injection, enabling complete system compromise. An attacker with valid credentials can bypass application controls and gain full control over the affected device without user interaction. No patch is currently available for this vulnerability, leaving deployed systems at significant risk.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Broadcom DX NetOps Spectrum (23.3.6 and earlier) has unauthenticated OS command injection on both Windows and Linux platforms. As a network management system, compromise gives attackers visibility and control over the entire monitored infrastructure.

Broadcom Linux Windows +2
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Operation And Maintenance Security Management System versions up to 3.0.8. is affected by command injection (CVSS 7.3).

Command Injection Operation And Maintenance Security Management System
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as subprocesses. PoC available, patch available.

Command Injection AI / ML Weknora +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.

Command Injection RCE Openproject
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Sangfor O&M Management System (through 3.0.8) has a second command injection in /isomp-protocol/protocol/getCmd, also via sessionPath. Public exploit with higher EPSS (1.2%) than the first vulnerability.

Command Injection Operation And Maintenance Security Management System
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Sangfor Operation and Maintenance Management System (through 3.0.8) has OS command injection in /isomp-protocol/protocol/getHis via the sessionPath parameter. Public exploit available, vendor unresponsive.

Command Injection Operation And Maintenance Management System
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Operation And Maintenance Management System versions up to 3.0.8. is affected by command injection (CVSS 8.8).

Java Command Injection Operation And Maintenance Management System
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Kiro IDE versions before 0.6.18 are vulnerable to command injection when processing maliciously named workspace folders in the GitLab Merge-Request helper, allowing local attackers with user interaction to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user interaction to open a crafted workspace, but no patch is currently available and exploitation requires minimal complexity. Users should restrict workspace access and avoid opening untrusted workspace folders until an update is released.

Gitlab Command Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. [CVSS 6.5 MEDIUM]

Command Injection RCE Odis
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

EDIMAX BR-6208AC V2 router allows command injection through the pppUserName field via system() without sanitization. PoC available.

Command Injection Br 6208ac Firmware RCE
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

D-Link DIR-895L router has command injection in the DHCP daemon via the hostname parameter during lease renewal. Any device requesting a DHCP lease with a malicious hostname achieves root code execution on the router. PoC available.

D-Link Command Injection Dir 895la1 Firmware
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. [CVSS 6.5 MEDIUM]

Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. [CVSS 6.0 MEDIUM]

Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. [CVSS 7.2 HIGH]

Command Injection Ip7137 Firmware
NVD
EPSS 0% CVSS 8.6
HIGH This Week

This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. [CVSS 8.6 HIGH]

Command Injection Tcis 3 Firmware
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

Command Injection RCE IoT +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DI-8200G firmware version 17.12.20A1 via the /upgrade_filter.asp path parameter allows authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but no user interaction.

D-Link Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

enaio document management AppConnector (multiple versions) has SMTP command injection via the /osrest/api/organization/s endpoint. Authenticated attackers can inject arbitrary SMTP commands, potentially sending spam or phishing emails through the organization's mail server. PoC available.

Command Injection Enaio
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. [CVSS 8.1 HIGH]

Command Injection Gl Axt1800 Firmware
NVD
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Arbitrary command execution in Greenshot 1.3.310 and earlier stems from insufficient input validation in filename processing, where unsanitized user-supplied filenames are passed directly to shell commands. An attacker can exploit this through a malicious filename containing shell metacharacters to achieve local code execution with user privileges. Public exploit code exists for this vulnerability; users should upgrade to version 1.3.311 or later.

Windows Command Injection Greenshot
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. [CVSS 8.8 HIGH]

Command Injection
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. [CVSS 9.8 CRITICAL]

PHP Command Injection
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. [CVSS 8.8 HIGH]

Command Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

{VAR} substitution inside .npmrc tokenHelper settings combined with spawnSync invoked with shell: true. The bug primarily threatens CI/CD build environments where untrusted inputs may flow into env vars or .npmrc files, and publicly available exploit code exists, though it is not listed in CISA KEV and EPSS is very low at 0.08%.

RCE Command Injection Pnpm
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

terminal-controller-mcp 0.1.7, an MCP (Model Context Protocol) server for terminal control, has command injection in execute_command that allows arbitrary command execution. Maximum CVSS 10.0 with scope change – compromising the MCP server grants control over all connected AI agents.

Command Injection Terminal Controller Mcp
NVD GitHub
EPSS 11% CVSS 6.5
MEDIUM POC THREAT This Month

A command injection vulnerability in the shell_exec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string. [CVSS 6.5 MEDIUM]

Command Injection Mcp Shell
NVD GitHub
EPSS 1%
This Week

Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form.

Command Injection
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL  of the file uapply.cgi of the component httpd . [CVSS 7.2 HIGH]

Command Injection Tew 811dru Firmware
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

TRENDnet TEW-713RE WiFi range extender (v1.02) has OS command injection in /goformX/formFSrvX via the SZCMD parameter. Public exploit available, vendor unresponsive. The device likely will not receive a patch.

Command Injection Tew 713re Firmware
NVD VulDB
EPSS 3% CVSS 2.1
LOW POC Monitor

Command injection in TOTOLINK WA300 firmware (version 5.2cu.7112_B20190227 and earlier) allows authenticated remote attackers to execute arbitrary commands through a malformed UPLOAD_FILENAME parameter in the cstecgi.cgi function. Public exploit code exists for this vulnerability, and no patch is currently available.

Command Injection Wa300 Firmware
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. [CVSS 8.8 HIGH]

Command Injection
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. [CVSS 8.8 HIGH]

Command Injection Coolify
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Passy v1.6.3 password manager allows authenticated administrators to execute arbitrary OS commands via crafted HTTP requests. The scope change from application to OS makes this critical despite requiring high privileges.

Command Injection RCE Passy
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC Act Now

Coolify, a self-hosted server management platform, allows authenticated users to inject OS commands through the Git Repository field during project creation. A regular member can achieve root-level code execution on the Coolify host with scope change. PoC available.

Command Injection Coolify
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. [CVSS 7.2 HIGH]

Command Injection Centreon Web
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Ac1206 Firmware versions up to 15.03.06.23 contains a vulnerability that allows attackers to command injection (CVSS 6.3).

Command Injection Tenda
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1. [CVSS 8.8 HIGH]

Command Injection Nplatform
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. [CVSS 8.8 HIGH]

Command Injection Nplatform
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in the SSDP Request Handler (ssdpcgi_main function) of D-Link DIR-806A firmware 100CNb11 allows remote authenticated attackers to execute arbitrary commands with low integrity and availability impact. Publicly available exploit code exists, but the vulnerability affects only end-of-life firmware with minimal real-world exploitation probability (EPSS 0.11%) due to low privilege requirements and limited scope of impact.

Command Injection D-Link Dir 806A Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used.

Command Injection D-Link Di 7400G Firmware
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Command injection in Serverless Framework versions 4.29.0 through 4.29.2 allows remote code execution through the experimental MCP server feature (@serverless/mcp package). Attackers can inject arbitrary shell commands via unsanitized input parameters passed to child_process.exec, achieving RCE under server process privileges. Publicly available exploit code exists (GHSA-rwc2-f344-q6w6). Impact is limited to less than 0.1% of users utilizing the experimental serverless mcp feature. EPSS probability is low at 0.05% (16th percentile).

Command Injection RCE Serverless
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Br 6208ac Firmware
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Br 6208ac Firmware
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing a manipulation results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

Tenda Command Injection W6 S Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary commands via the fota_url parameter in the /boafrm/formLtefotaUpgradeQuectel endpoint. Public exploit code is available, though EPSS exploitation probability remains low at 0.20% percentile, suggesting limited real-world exploitation despite proof-of-concept availability.

Command Injection D-Link Dwr M920 Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.

Command Injection D-Link Dwr M920 Firmware
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4  of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection Tew 822Dre Firmware
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in ZSPACE Z4Pro+ 1.0.0440024. The impacted element is the function zfilev2_api_CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.

Command Injection Z4Pro Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in ZSPACE Z4Pro+ 1.0.0440024 via the /v2/file/safe/open HTTP POST endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact on confidentiality, integrity, and availability. The vulnerability affects the zfilev2_api_open function and has been publicly disclosed with exploit code available; however, the EPSS score of 0.38% (59th percentile) and CVSS scope constraint (SC:N) suggest limited real-world exploitation risk despite authenticated remote access capability.

Command Injection Z4Pro Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in ZSPACE Z4Pro+ 1.0.0440024. Impacted is the function zfilev2_api_SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.

Command Injection Z4Pro Firmware
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

Authenticated command injection in the Yealink SIP-T21P_E2 IP phone (firmware 52.84.0.15) lets a remote user with normal, non-administrative privileges execute arbitrary operating-system commands by sending a crafted request to the ping utility of the diagnostic component. Because the CVSS vector reports PR:L, exploitation requires only a low-privileged authenticated session, and publicly available exploit code exists, though the EPSS probability remains modest at 0.60% (44th percentile) and the flaw is not listed in CISA KEV. Successful exploitation yields full high-impact compromise of confidentiality, integrity, and availability on the device.

Command Injection RCE Sip T21 P E2 Firmware
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Command injection in JD Cloud BE6500 4.4.1.r4308 via the ddns_name parameter in the /jdcapi endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact (low confidentiality, integrity, and availability). Public exploit code is available. The vendor has not responded to early disclosure notification, and no patch has been released.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing a manipulation of the argument ipaddress can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

Tenda Command Injection Wh450 Firmware
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

An authenticated command injection vulnerability in Coolify's File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit, though current exploitation probability remains relatively low at 0.20% according to EPSS data. Attackers can achieve full remote code execution with root privileges on the host system by exploiting unsanitized input in the file_storage_directory_source parameter.

Command Injection RCE Coolify
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

An authenticated command injection vulnerability in Coolify's Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451, with a publicly available proof-of-concept exploit and moderate exploitation likelihood (EPSS 20%, percentile 41%). Attackers can achieve full remote code execution with root privileges by injecting shell commands through unescaped proxy configuration filenames.

Command Injection RCE Coolify
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.

Command Injection PostgreSQL RCE +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.

Command Injection RCE Docker +2
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

A command injection vulnerability in Coolify's Database Backup functionality allows authenticated users with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and has a publicly available proof-of-concept exploit. With a CVSS score of 9.9 and confirmed exploitation code available, this represents a critical risk for organizations using Coolify to manage their infrastructure.

Command Injection RCE Coolify
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Command injection in DedeBIZ up to version 6.5.9 allows authenticated high-privilege administrators to execute arbitrary system commands via the /src/admin/catalog_add.php endpoint. The vulnerability requires high-privilege authentication (PR:H in CVSS v4.0) and has publicly available exploit code, but real-world risk is constrained by the authentication requirement and limited scope of impact (CVSS 2.0, EPSS 0.28%).

PHP Command Injection Dedebiz
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

OS command injection in TOTOLINK X5000R firmware 9.1.0cu.2089_B20211224 allows authenticated remote attackers to execute arbitrary system commands via the User parameter in the /cgi-bin/cstecgi.cgi exportOvpn function. The vulnerability requires valid login credentials but results in complete system compromise once authenticated. Public exploit code is available, and the CVSS score of 2.1 significantly underrepresents the true risk due to the low-impact scoring parameters masking the severity of unauthenticated command execution in a network-accessible management interface.

Command Injection X5000r Firmware
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

A command injection vulnerability in gardenctl allows attackers with administrative privileges in a Gardener project to inject malicious commands through crafted credential values when non-POSIX shells (Fish, PowerShell) are used by service operators. The vulnerability affects gardenctl versions 2.11.0 and below, enabling attackers to break out of string contexts and execute arbitrary commands with potentially high impact on confidentiality, integrity, and availability. With an EPSS score of only 0.06% and no known exploitation in the wild or public POC, this represents a lower real-world risk despite the high CVSS score of 8.4.

Command Injection Privilege Escalation Gardenctl +1
NVD GitHub VulDB
EPSS 1% CVSS 1.3
LOW Monitor

Command injection in EFM ipTIME A3004T firmware version 14.19.0 allows authenticated remote attackers to execute arbitrary commands via malformed input to the aaksjdkfj parameter in the show_debug_screen function of /sess-bin/timepro.cgi. Public exploit code is available, but the vulnerability has a high attack complexity requirement and the vendor has not issued a patch despite early disclosure notification.

Command Injection
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allowing attackers to execute arbitrary commands through unsanitized SSH parameters (username, host, port) in the run_ssh_command_with_credentials() function accessible to AI agents. The vulnerability has a publicly available proof-of-concept exploit and enables remote code execution with potential for complete system compromise, though real-world exploitation probability remains relatively low at 0.12% EPSS score despite the high CVSS rating of 9.6.

Command Injection SSH AI / ML +2
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

OS command injection in OpenMPTCProuter through version 0.64 lets attackers write arbitrary files or execute arbitrary commands via the create_xor_ipad_opad function in the sysupgrade helper (common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c). Publicly available exploit code exists (published as a GitHub gist), and a vendor fix is available as an upstream commit; the flaw is not listed in CISA KEV and carries a modest EPSS of 0.59% (44th percentile), indicating no confirmed active exploitation at time of analysis. The submitted CVSS of 9.8 assumes remote unauthenticated access, but because the vulnerable code path is a firmware-upgrade helper, real-world exploitation likely depends on access to the router's upgrade functionality — verify against your deployment.

Command Injection Openmptcprouter
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

Authenticated OS command injection in Fortinet FortiSandbox (versions 5.0.0-5.0.2, 4.4.0-4.4.7, all 4.2.x, all 4.0.x) and FortiSandbox Cloud (24.1 and all 23.x) allows a high-privileged remote attacker to execute arbitrary commands by sending crafted HTTP/HTTPS requests to the management interface. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but the breadth of affected major versions and the network-reachable attack surface make this a notable post-authentication risk for security appliance operators.

Command Injection Fortinet Fortisandbox +1
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-site request forgery in Panilux versions before 0.10.0 can be chained to command injection, allowing remote attackers to execute arbitrary operating system commands when an authenticated user is tricked into visiting a malicious page. The CVSS 9.6 (AV:N/AC:L/PR:N/UI:R/S:C) reflects scope change and full CIA impact, though exploitation requires user interaction and the affected vendor has denied ownership of the product, complicating disclosure. EPSS is very low at 0.04% (11th percentile) and no public exploit is identified at time of analysis.

CSRF Command Injection
NVD VulDB
Prev Page 18 of 87 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
7746

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy