Skip to main content

OS Command Injection

web CRITICAL

OS command injection occurs when an application passes unsanitized user input directly into system shell commands.

How It Works

OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.

Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.

Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.

Impact

  • Complete server compromise — execute any command with the application's privileges, often www-data or root
  • Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
  • Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
  • Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
  • Denial of service — crash services, fill disk space, consume CPU resources
  • Supply chain attacks — modify application code or deployment artifacts to compromise downstream users

Real-World Examples

The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.

GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.

Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.

Mitigation

  • Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
  • Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
  • Parameterized execution APIs — use execve() or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely
  • Principle of least privilege — run application processes with minimal permissions to limit compromise impact
  • Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters

Recent CVEs (7746)

EPSS 0% CVSS 6.9
MEDIUM This Month

OS command injection vulnerability exists in CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR libSystemLib Command injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR libSystemLib Command Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Kenwood DMX958XR Firmware Update Command Injection Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Dmx958Xr Firmware
NVD
EPSS 72% 5.7 CVSS 10.0
CRITICAL POC THREAT Emergency

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.7%.

Command Injection PHP D-Link +2
NVD Exploit-DB
EPSS 61% 5.2 CVSS 9.3
CRITICAL POC THREAT Emergency

Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.7%.

Command Injection PHP RCE
NVD Exploit-DB
EPSS 47% 4.6 CVSS 8.6
HIGH POC THREAT Act Now

Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 46.6%.

Command Injection PHP RCE
NVD Exploit-DB
EPSS 54% 4.8 CVSS 8.6
HIGH POC THREAT Act Now

Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 53.7%.

Command Injection RCE
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Week

A lack of signature verification in the bootloader of DENX Software Engineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install crafted firmware files, leading to arbitrary code execution. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE U Boot +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Week

A command injection vulnerability exists in TwistedWeb (version 14.0.0) due to improper input sanitization in the file upload functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection File Upload RCE +1
NVD
EPSS 0% CVSS 7.4
HIGH This Month

Jointelli 5G CPE 21H01 firmware JY_21H01_A3_v1.36 devices allow (blind) OS command injection. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Month

An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN that allows authenticated attackers to execute arbitrary OS system commands with root privileges via crafted payloads to the. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection
NVD GitHub
EPSS 74% 5.6 CVSS 9.3
CRITICAL POC THREAT Emergency

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 74.3% and no vendor patch available.

Command Injection RCE
NVD GitHub
EPSS 1% CVSS 9.4
CRITICAL PATCH This Week

A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Apex One
NVD
EPSS 5% CVSS 9.4
CRITICAL KEV PATCH THREAT Act Now

Trend Micro Apex One on-premise management console allows pre-authenticated remote attackers to upload malicious code and execute commands, enabling complete server compromise.

Command Injection Apex One
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Cursor
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An Improper Input Validation in EdgeMAX EdgeSwitch (Version 1.10.4 and earlier) could allow a Command Injection by a malicious actor with access to EdgeSwitch adjacent network. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Command Injection
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a command injection vulnerability via the pin parameter in the setWiFiWpsConfig function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection N600r Firmware
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL This Week

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

In RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build, OS command injection can occur via an IP address field provided by an authenticated user. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Ruckus Smartzone Firmware Ruckus Network Director
NVD
EPSS 0% CVSS 8.5
HIGH This Month

RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Ruckus Smartzone Firmware Ruckus Network Director
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Data Domain Operating System
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nas utility. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Unity Operating Environment
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nfssupport utility. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Dell Command Injection Unity Operating Environment
NVD
EPSS 14% CVSS 7.3
HIGH POC THREAT Act Now

Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 14.3% and no vendor patch available.

Dell Command Injection Unity Operating Environment
NVD GitHub
EPSS 22% 4.0 CVSS 9.4
CRITICAL POC PATCH THREAT Act Now

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Command Injection RCE Node.js +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Month

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE Cursor
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Cursor is a code editor built for programming with AI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Information Disclosure Cursor
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Command Injection RCE 1panel +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Cursor is a code editor built for programming with AI. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Cursor
NVD GitHub
EPSS 73% 5.4 CVSS 8.6
HIGH POC THREAT Act Now

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN1000B model firmware versions 1.1.00.24 and 1.1.00.45) via the TimeToLive parameter in the setup.cgi. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 73.1%.

Netgear Command Injection Dgn1000B Firmware
NVD Exploit-DB
EPSS 61% 5.2 CVSS 9.4
CRITICAL POC THREAT Emergency

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 61.0%.

Netgear Command Injection Dgn2200B Firmware
NVD Exploit-DB
EPSS 51% 4.7 CVSS 8.6
HIGH POC THREAT Act Now

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 50.8%.

Command Injection D-Link Dir 615H Firmware
NVD Exploit-DB
EPSS 47% 4.6 CVSS 8.6
HIGH POC THREAT Act Now

An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 46.6%.

Command Injection Linksys RCE
NVD Exploit-DB
EPSS 60% 5.0 CVSS 8.7
HIGH POC THREAT Act Now

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 59.6%.

Command Injection
NVD GitHub
EPSS 62% 5.1 CVSS 8.7
HIGH POC THREAT Act Now

An OS command injection vulnerability exists in multiple D-Link routers-confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)-via the authenticated tools_vct.xgi CGI endpoint. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 61.9%.

Command Injection D-Link
NVD Exploit-DB VulDB
EPSS 51% 4.9 CVSS 9.3
CRITICAL POC THREAT Emergency

An OS command injection vulnerability exists in multiple Raidsonic NAS devices-specifically tested on IB-NAS5220 and IB-NAS4220-via the unauthenticated timeHandler.cgi endpoint exposed through the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.4%.

Command Injection
NVD Exploit-DB
EPSS 60% 5.2 CVSS 9.3
CRITICAL POC THREAT Emergency

An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)-due to improper input handling in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 59.8%.

Command Injection PHP D-Link +2
NVD Exploit-DB
EPSS 0% CVSS 8.0
HIGH This Month

Alpine iLX-507 Command Injection Remote Code Execution. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Path Traversal +1
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Alpine iLX-507 UPDM_wstpCBCUpdStart Command Injection Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Ilx 507 Firmware
NVD
EPSS 0% CVSS 7.3
HIGH This Month

Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Remote code execution in AVer PTC310UV2 conference camera firmware v.0.1.0000.59 is reachable by unauthenticated network attackers through command injection in the SendAction function. Unsanitized input passed to the SendAction API is processed directly as a system command, enabling full device compromise on any network-accessible unit. A public proof-of-concept exploit exists on GitHub, materially lowering the attack barrier despite a low EPSS exploitation probability of 0.97%; no active exploitation has been confirmed via CISA KEV.

Command Injection RCE Ptc310Uv2 Firmware
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Unauthenticated remote code execution in PrestaShop 8.2.0 is achievable via PHAR deserialization in the _getHeaders function, triggered through a crafted POST request. The publicly available proof-of-concept lowers the bar for exploitation against unpatched storefronts. No active KEV listing exists, but the network-accessible attack surface of e-commerce deployments and the confirmed exploit code make this a meaningful priority for PrestaShop 8.2.0 operators despite a low EPSS score of 0.77%.

Command Injection Deserialization RCE +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Remote code execution in PrestaShop 8.2.0 is achievable through a PHAR deserialization flaw in the theme import endpoint (/themes/import), where a crafted POST request containing a malicious PHP Archive triggers arbitrary code execution on the server. A publicly available proof-of-concept exploit exists on GitHub, lowering the technical barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, but the combination of a public POC and a targeted admin-facing endpoint warrants prompt remediation for any deployment on this version.

Command Injection Deserialization RCE +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated OS command injection in the PowerStick Wave Dual-Band Wifi Extender V1.0 lets a user with valid credentials run arbitrary commands as root via the /cgi-bin/cgi_vista.cgi endpoint. Because the device firmware runs its web management logic with root privileges, successful exploitation yields complete takeover of the extender. The single NVD reference is a public researcher gist that very likely contains proof-of-concept detail, though the flaw is not listed in CISA KEV and EPSS risk is modest (0.66%, 47th percentile).

Command Injection RCE
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. Affected by this issue is the function execute_DataObjectProc of the file /grid/vgrid_server.php of the component Web interface. Such manipulation of the argument xajaxargs leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 5.1.1 and 5.4.1 can resolve this issue. It is suggested to upgrade the affected component.

PHP Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution in SMG Software Information Portal versions prior to 13.06.2025 allows attackers to upload web shells and inject OS commands, achieving full server compromise with a maximum CVSS score of 10.0. The vulnerability was reported by Turkey's national CERT (USOM) and no public exploit identified at time of analysis, though the trivial attack complexity and network-accessible nature make it a critical priority for any organization running the affected product.

File Upload Command Injection
NVD VulDB
EPSS 3% CVSS 2.1
LOW POC Monitor

Command injection in TOTOLINK T6 firmware 4.1.5cu.748 allows authenticated remote attackers to execute arbitrary commands via the ckeckKeepAlive function in the MQTT Packet Handler component (wireless.so). The vulnerability requires valid user credentials and network access but results only in low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the CVSS 2.1 score and EPSS 3.01% indicate low practical exploitation probability despite public disclosure.

Command Injection T6 Firmware
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DIR-817L router firmware up to version 1.04B01 allows authenticated remote attackers to execute arbitrary system commands via the lxmldbc_system function in ssdpcgi, with publicly available exploit code disclosed and EPSS risk at 0.36% suggesting limited real-world exploitation despite network accessibility.

Command Injection D-Link Dir 817L Firmware
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Command injection in Eluktronics Control Center 5.23.51.41 allows local authenticated users to execute arbitrary PowerShell commands with elevated privileges through the AiStoneService component. The vulnerability has public exploit code available (CVSS E:P) and affects a PC hardware control software, enabling local privilege escalation. Vendor was notified but did not respond, leaving the vulnerability unpatched. EPSS data not available, but the local-only attack vector (AV:L) and authentication requirement (PR:L) limit widespread exploitation risk despite the critical CVSS 7.1 score.

Command Injection Control Center
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Command injection in D-Link DIR-816L firmware up to version 2.06B01 allows authenticated remote attackers to execute arbitrary system commands via the lxmldbc_system function in the Environment Variable Handler component. The vulnerability affects end-of-life hardware no longer receiving vendor support, with public exploit code available and low real-world exploitation probability despite network accessibility, limited only by requirement for valid authentication credentials.

Command Injection D-Link Dir 816L Firmware
NVD GitHub VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to execute arbitrary operating system commands via the commandJobHandler function in SampleXxlJob.java. The vulnerability has a publicly available exploit and is rated critical by the discoverer, though the CVSS 4.0 score of 2.1 reflects limited scope (authenticated access required, low confidentiality/integrity/availability impact). With EPSS at 0.71% (72nd percentile), real-world exploitation probability is low despite public POC availability.

Command Injection Xxl Job
NVD GitHub VulDB
EPSS 0%
This Week

GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available.

Node.js Command Injection
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM POC This Month

An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to execute arbitrary code via uploading a crafted template file.

File Upload PHP RCE +2
NVD GitHub
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. Affected by this vulnerability is the function clearPairCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability classified as critical has been found in TOTOLINK T6 4.1.5cu.748. Affected is the function delDevice of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ipAddr leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 2% CVSS 2.1
LOW POC Monitor

A vulnerability was found in TOTOLINK T6 4.1.5cu.748. It has been rated as critical. This issue affects the function CloudSrvVersionCheck of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

CVE-2025-50756 is a critical unauthenticated command injection vulnerability in the Wavlink WN535K3 router (firmware version 20191010) affecting the set_sys_adm function's newpass parameter. An unauthenticated remote attacker can execute arbitrary system commands with root privileges by sending a crafted request, enabling complete device compromise including data theft, malware installation, and lateral network movement. The CVSS 9.8 score reflects maximum severity; KEV status and active exploitation likelihood are elevated given the high exploitability characteristics (network-accessible, no authentication required, low attack complexity).

Command Injection Wn535k3 Firmware
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been declared as critical. This vulnerability affects the function sendCommand of the file runcmd.sh. The manipulation of the argument cmd leads to command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The researcher highlights, that "[a]lthough this functionality is currently disabled due to server CGI configuration errors, it is essentially a 'time bomb' waiting to be activated". The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

CVE-2025-7451 is a critical OS Command Injection vulnerability in iSherlock (developed by Hgiga) that allows unauthenticated remote attackers to execute arbitrary operating system commands on vulnerable servers with no authentication required. The vulnerability has active in-the-wild exploitation, carries a maximum CVSS score of 9.8, and poses immediate risk to all exposed instances. Organizations running iSherlock must apply patches immediately.

Command Injection
NVD
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability classified as critical has been found in D-Link DIR-818LW up to 20191215. This affects an unknown part of the component System Time Page. The manipulation of the argument NTP Server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection D-Link
NVD VulDB
Prev Page 24 of 87 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
7746

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy