OS Command Injection
OS command injection occurs when an application passes unsanitized user input directly into system shell commands.
How It Works
OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.
Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.
Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.
Impact
- Complete server compromise — execute any command with the application's privileges, often www-data or root
- Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
- Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
- Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
- Denial of service — crash services, fill disk space, consume CPU resources
- Supply chain attacks — modify application code or deployment artifacts to compromise downstream users
Real-World Examples
The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.
GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.
Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.
Mitigation
- Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
- Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
- Parameterized execution APIs — use
execve()or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely - Principle of least privilege — run application processes with minimal permissions to limit compromise impact
- Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters
Recent CVEs (7746)
A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `rc` binaries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An unauthenticated command injection vulnerability exists in the Start_EPI function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.3%.
A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code locally. Rated medium severity (CVSS 6.7). No vendor patch available.
An issue in Agnitum Outpost Security Suite 7.5.3 (3942.608.1810) and 7.6 (3984.693.1842) allows a local attacker to execute arbitrary code via the lock function. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability in its boot/update logic: during startup /usr/sbin/anyka_service.sh scans mounted TF/SD. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was determined in Sangfor Operation and Maintenance Security Management System 3.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreePBX Endpoint Manager contains a post-authentication command injection via the testconnection/check_ssh_connect function, allowing authenticated users to execute OS commands.
CLUSTERPRO X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2 and EXPRESSCLUSTER X for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2, CLUSTERPRO X SingleServerSafe for Linux 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2,. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.2% and no vendor patch available.
PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dell CloudLink, versions prior 8.1.1, contain a Command Injection vulnerability which can be exploited by an Authenticated attacker to cause Command Injection on an affected Dell CloudLink. Rated medium severity (CVSS 5.3). No vendor patch available.
Dell CloudLink, versions prior to 8.2, contain a vulnerability where a privileged user with known password can run command injection from console to gain shell access of system. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.
Dell CloudLink, versions 8.0 through 8.1.2, contain vulnerability on restricted shell. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell CloudLink, versions prior to 8.2, contain a vulnerability where a privileged user with known password can run command injection to gain control of system. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.
OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in Red Hat Satellite (Foreman component). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.
Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.
An issue in NetSurf v.3.11 allows a remote attacker to execute arbitrary code via the dom_node_normalize function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Command injection in D-Link DI-7001 MINI firmware versions 19.09.19A1 and 24.04.18B1 allows authenticated remote attackers to execute arbitrary commands via the cmd parameter in /msp_info.htm. The vulnerability has a public exploit available, though the extremely low CVSS score (2.1) and EPSS percentile (24th) indicate limited real-world exploitability despite network accessibility, as exploitation requires valid login credentials and results in low-impact information disclosure rather than system compromise.
OS command injection in D-Link DAP-2695 firmware 2.00RC13 allows high-privileged remote attackers to execute arbitrary commands through the Firmware Update Handler function sub_4174B0. The vulnerability carries a low real-world risk despite network-accessible attack vector due to requiring administrative credentials (PR:H) and affecting only end-of-life hardware. Publicly available exploit code exists, though EPSS exploitation probability remains minimal at 0.09th percentile.
OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated attackers on adjacent networks to execute arbitrary system commands with high privileges, leading to complete device compromise. The vulnerability requires low attack complexity and low privileges, with exploitation probability at 0.28% (EPSS), indicating moderate real-world risk. No public exploit identified at time of analysis, but the adjacent network requirement and low complexity make this readily exploitable in targeted attacks against time synchronization infrastructure.
OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execute arbitrary system commands with elevated privileges on firmware versions prior to 2.5. The vulnerability requires low attack complexity and low privileges, enabling complete compromise of device confidentiality, integrity, and availability. EPSS exploitation probability is low (0.28%, 51st percentile) with no public exploit identified at time of analysis, though the straightforward attack vector presents significant risk to network time infrastructure in enterprise environments.
Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when 'ALLOW_BUILTIN_DEP' is enabled) lets a logged-in user break out of the nodevm sandbox by abusing the bundled Puppeteer and Playwright modules. Because a custom tool can specify an attacker-controlled browser binary path and launch parameters, executing that tool runs an arbitrary executable on the host outside the intended sandbox, yielding code execution in the host context. Publicly available exploit code exists; the flaw is not listed in CISA KEV, and it was mis-filed by the vendor as a duplicate of CVE-2025-26319 but is distinct.
Arbitrary file upload in Mingsoft MCMS v6.0.1 enables remote code execution on the underlying server by uploading a crafted file - likely a JSP web shell - to a reachable endpoint. The NVD-assigned CVSS score of 6.5 with C:L/I:L impact subscores is materially inconsistent with the stated code execution impact, and this discrepancy should be independently verified. No public exploit has been confirmed as actively exploited per CISA KEV, though a Gist-based reference in NVD data may represent a proof-of-concept; EPSS is low at 0.28% (20th percentile), suggesting no widespread scanning or exploitation observed at time of analysis.
Improper input neutralization in Palo Alto Networks PAN-OS management web interface allows authenticated high-privilege administrators to bypass system restrictions and execute arbitrary commands through command injection. The vulnerability affects PAN-OS across multiple versions (specific version ranges not independently confirmed from provided data), with a low EPSS exploitation probability (0.06%, 17th percentile) and no confirmed active exploitation or public proof-of-concept. Risk is significantly reduced when CLI access is restricted to a limited administrator group; Cloud NGFW and Prisma Access are unaffected.
Command injection in Tenda AC7 firmware 15.03.06.44 via the /goform/AdvSetLanip endpoint allows authenticated remote attackers to execute arbitrary commands with low impact on confidentiality, integrity, and availability. The vulnerability requires valid login credentials (PR:L) and affects the lanIp parameter. Publicly available exploit code exists, and EPSS scoring of 0.39% indicates low real-world exploitation probability despite public POC availability.
OS command injection in the Curo UC300 (firmware 5.42.1.7.1.63R1) unified communications device lets an authenticated attacker with admin-panel access run arbitrary operating-system commands by injecting shell metacharacters into the "IP Addr" parameter. Successful exploitation yields full command execution on the underlying device (high confidentiality, integrity, and availability impact). A public GitHub repository referenced by NVD indicates publicly available exploit code exists, though the flaw is not listed in CISA KEV and its EPSS probability is modest (1.15%, 63rd percentile).
OS command injection in DesktopCommanderMCP up to version 0.2.13 allows authenticated remote attackers to execute arbitrary system commands via manipulation of the CommandManager function in src/command-manager.ts. The vulnerability has a low CVSS score (2.1) due to authentication requirement and limited scope, but publicly available exploit code exists and the low EPSS score (0.14th percentile) suggests real-world exploitation risk is minimal despite public POC availability.
OS command injection in DesktopCommanderMCP up to version 0.2.13 allows authenticated remote attackers to execute arbitrary operating system commands via the extractBaseCommand function in src/command-manager.ts when processing absolute file paths. The vulnerability requires authentication and has limited real-world impact scope, reflected in a low CVSS score of 2.1 and EPSS of 0.15%, though publicly available exploit code exists and the vendor acknowledges the issue remains unfixed pending real-world incident reports.
A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.
OS command injection in D-Link DI-7001 MINI firmware 24.04.18B1 allows authenticated remote attackers to execute arbitrary system commands via manipulation of the path argument in /upgrade_filter.asp. Public exploit code is available, though the CVSS 2.1 score and 0.07% EPSS percentile indicate limited real-world exploitation likelihood despite the vulnerability's remote network accessibility.
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets a privileged remote user inject arbitrary operating-system commands that run outside the vulnerable component, yielding full device takeover, denial of service, privilege escalation, and disclosure of sensitive timing/configuration data. Because Network Time Servers act as an authoritative time source for entire environments, compromise can cascade into time-manipulation attacks against downstream systems (logging, certificates, Kerberos). This is no public exploit identified at time of analysis, though a third-party advisory (xdiv-sec) documents the flaw; EPSS is modest at 1.63% (73rd percentile).
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets an authenticated high-privileged operator inject shell commands into the appliance's underlying OS, escaping the management application to run arbitrary code as the device. Because the appliance is a hardened timing source, successful exploitation yields full compromise: code execution, denial of service, privilege escalation, and disclosure of sensitive data. No public exploit is identified at time of analysis, though a third-party research advisory (xdiv-sec) documents the finding; the EPSS score is moderate at 1.63% (73rd percentile) and the CVE is not on CISA KEV.
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets remote attackers inject shell commands that the appliance executes, enabling arbitrary code execution, denial of service, privilege escalation, and disclosure of sensitive data. The NVD CVSS 3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N) and a third-party technical advisory (xdiv-sec) has been published, but there is no public exploit identified at time of analysis and the flaw is not on CISA KEV. EPSS is modest at 1.20% (64th percentile), indicating no observed mass exploitation to date.
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) lets remote attackers inject operating-system commands through the appliance's management interface, exposing sensitive information and, per the CVSS integrity rating, allowing manipulation of the device. The vendor-supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, score 8.2) indicates network-reachable, low-complexity exploitation, and an independent security-research advisory (xdiv-sec) documents the flaw. No public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is 1.00% (59th percentile), signaling low measured exploitation activity so far.
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets remote attackers inject operating-system commands into the appliance, enabling arbitrary code execution, privilege escalation, disclosure of sensitive data, and disruption of the device's timing service. A third-party advisory (xdiv-sec) documents the issue, but no public exploit was identified at time of analysis and it is not listed in CISA KEV; EPSS is modest at 1.20% (64th percentile). Because this device supplies authoritative time to dependent infrastructure, compromise can cascade beyond the appliance itself.
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets remote attackers inject operating-system commands and extract sensitive information from the appliance. The flaw is reachable over the network without authentication per the published CVSS vector, and a third-party security advisory (xdiv-sec) documents the issue. No public exploit identified at time of analysis, and EPSS probability is low (1.00%, 59th percentile).
Authenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000, Ver 4.00) lets a low-privileged user inject OS commands that run on the underlying appliance, yielding arbitrary code execution, privilege escalation, information disclosure, and denial of service. The CVSS 3.1 vector (AV:N/AC:L/PR:L/S:C) shows a network-reachable, low-complexity flaw whose scope change lets a foothold on the management interface compromise the whole device. A third-party advisory (xdiv-sec) documents the issue; there is no public exploit identified and no CISA KEV listing at time of analysis, and EPSS is a modest 1.58% (73rd percentile).
Command injection in D-Link DI-7100G C1 firmware up to version 20250928 allows remote authenticated attackers to execute arbitrary commands via the iface parameter in the /msp_info.htm?flag=qos endpoint of the jhttpd component. The vulnerability requires high-level administrative privileges and publicly available exploit code exists, but EPSS score of 0.06% indicates exploitation is unlikely in real-world scenarios due to the privilege requirement.
Command injection in IdeaCMS up to version 1.8 allows high-privileged remote attackers to execute arbitrary system commands via manipulation of the 网站名称 (website name) parameter in the Website Name Handler component. The vulnerability exists in app/common/logic/admin/Config.php and requires high-privilege credentials but has publicly available exploit code and carries notable risk given the vendor's non-responsiveness to early disclosure.
Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the command argument in the /goform/mp endpoint. The vulnerability requires valid user credentials but offers minimal impact due to restricted capabilities (low confidentiality, integrity, and availability effects). Publicly available exploit code exists, though EPSS scoring (0.20%) indicates limited real-world exploitation probability despite public availability.
Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the m_wan_ipaddr parameter in the /goform/formSetWanStatic endpoint. The vulnerability has publicly available exploit code and has been disclosed despite vendor non-responsiveness. With a CVSS score of 2.1 and EPSS percentile of 42%, real-world risk is low due to authentication requirement and limited impact scope, though the public POC and command injection nature warrant monitoring.
Command injection in Belkin F9K1015 firmware 1.00.10 allows authenticated remote attackers to execute arbitrary commands via manipulation of the wan_ipaddr parameter in the /goform/formBSSetSitesurvey endpoint. The vulnerability requires valid credentials and has limited scope (low confidentiality, integrity, and availability impact on the vulnerable component), but publicly available exploit code exists and the vendor has not responded to disclosure efforts.
OS command injection in MCPHub up to version 0.9.10 allows authenticated remote attackers to execute arbitrary system commands via manipulation of command/args parameters in serverController.ts. The vulnerability has a low CVSS score (2.1) due to requirement for authenticated access and limited scope impact, but carries elevated real-world risk given publicly available exploit code and vendor non-responsiveness. EPSS score of 0.25% suggests limited current exploitation activity despite POC availability.
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent. This can then be used to directly compromise the system by executing malicious commands with full user privileges. This issue does not currently have a fixed release version, but there is a patch, 2025.09.17-25b418f.
MotionEye video surveillance software version 0.43.1b4 and earlier contains an authenticated OS command injection via configuration parameters such as image_file_name. Admin users can inject commands that execute when the Motion daemon restarts, achieving code execution on the surveillance server.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
OS command injection in AndSoft e-TMS v25.03 transportation management system. One of 8+ critical command injection CVEs in the same product.
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.
Command injection in TOTOLINK X18 via mac parameter. EPSS 3.4%. PoC available.
Command injection in TOTOLINK X18 via agentName in setEasyMeshAgentCfg. EPSS 2.7%. PoC available.
The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM InfoSphere 11.7.0.0 through 11.7.1.6 Information Server could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
VMware vCenter contains an SMTP header injection vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- web
- Total CVEs
- 7746