Skip to main content

OS Command Injection

web CRITICAL

OS command injection occurs when an application passes unsanitized user input directly into system shell commands.

How It Works

OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.

Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.

Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.

Impact

  • Complete server compromise — execute any command with the application's privileges, often www-data or root
  • Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
  • Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
  • Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
  • Denial of service — crash services, fill disk space, consume CPU resources
  • Supply chain attacks — modify application code or deployment artifacts to compromise downstream users

Real-World Examples

The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.

GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.

Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.

Mitigation

  • Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
  • Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
  • Parameterized execution APIs — use execve() or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely
  • Principle of least privilege — run application processes with minimal permissions to limit compromise impact
  • Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters

Recent CVEs (7742)

EPSS 0% CVSS 9.9
CRITICAL Act Now

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Docker Command Injection
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows a low-privileged, network-based attacker to execute arbitrary OS commands on the device by manipulating the peerPin argument submitted to the formWPS CGI handler at /goform/formWPS. A public proof-of-concept exploit is available on GitHub, confirmed by the E:P modifier in the CVSS 4.0 vector. No patch has been or will ever be released - the vendor explicitly confirmed this router reached end-of-life in 2009, making permanent device replacement the only viable remediation.

Command Injection Tew 432Brp
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows network-reachable authenticated attackers to execute arbitrary OS commands by injecting shell metacharacters into the ip, mask, or gateway parameters of the formSetRoute CGI handler at /goform/formSetRoute. A public proof-of-concept exploit has been disclosed on GitHub. No patch will ever be released - TRENDnet has explicitly confirmed the device reached end-of-life in 2009 and is unable to replicate or remediate the vulnerability, making permanent residual risk the defining characteristic of this CVE.

Command Injection Tew 432Brp
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

OS command injection in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 allows an attacker who already controls the TX Host to execute arbitrary commands on the RX Host when a MySQL connector is configured on the unidirectional gateway. The flaw was discovered by Nozomi Networks Labs and there is no public exploit identified at time of analysis; EPSS is low at 0.18% (40th percentile).

Command Injection Wf 500
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) allows attackers with high privileges to execute arbitrary operating system commands on the unidirectional gateway appliance. The flaw was discovered and reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 8.6, and an EPSS of 0.70% (72nd percentile); no public exploit identified at time of analysis. Because WF-500 is deployed as a data-diode between IT and OT/ICS networks, code execution on the RX Host effectively compromises a critical security boundary.

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to run arbitrary operating system commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs and tracked as CVE-2025-41277, carries a CVSS 4.0 base score of 9.3 and represents a critical risk for industrial environments relying on Waterfall's data diode gateways. No public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating elevated but not yet widespread exploitation activity.

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to inject and execute arbitrary OS commands through the Console WebUI. Discovered by Nozomi Networks Labs, the flaw carries a CVSS 4.0 score of 9.3 with no required privileges or user interaction; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile).

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R2502171040) allows attackers reachable on the management network to execute arbitrary operating system commands on the appliance. The flaw was reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3, and currently has no public exploit identified at time of analysis, with an EPSS score of 1.02% (78th percentile).

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers to inject and execute arbitrary OS commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3 and represents a critical risk to industrial unidirectional gateway deployments. No public exploit identified at time of analysis, and EPSS is 1.02% (78th percentile), suggesting elevated but not yet widespread exploitation interest.

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attackers reachable over the network to execute arbitrary operating system commands through the Console WebUI. The flaw was discovered by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating moderate predicted exploitation interest.

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to execute arbitrary operating system commands via the Console WebUI. The flaw was identified by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, though there is no public exploit identified at time of analysis and EPSS sits at 1.02%, indicating elevated but not yet realized exploitation pressure.

Command Injection Wf 500
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to run arbitrary operating system commands via the Console WebUI. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, but no public exploit identified at time of analysis and EPSS sits at 1.02% (78th percentile), indicating credible but not yet widespread exploitation pressure.

Command Injection Wf 500
NVD
EPSS 1% CVSS 8.5
HIGH This Week

Authenticated OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 lets high-privileged remote users execute arbitrary operating system commands on the host. The flaw was identified by Nozomi Networks Labs and carries a CVSS 4.0 score of 8.5, but with no public exploit identified and a modest EPSS of 0.70% (72th percentile), real-world exploitation pressure is currently moderate rather than urgent.

Command Injection Wf 500
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) allows remote attackers with high privileges to execute arbitrary operating system commands on the underlying host. The flaw was identified by Nozomi Networks Labs and carries a CVSSv4 score of 8.6, but no public exploit identified at time of analysis and EPSS sits at 0.70% (72th percentile), reflecting limited expected exploitation activity against this niche OT/industrial product.

Command Injection Wf 500
NVD
EPSS 1% CVSS 8.6
HIGH This Week

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authenticated remote attackers to execute arbitrary operating system commands on the underlying host. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 8.6; no public exploit identified at time of analysis, and EPSS exploitation probability is modest at 0.70%.

Command Injection Wf 500
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via crafted MQTT messages, scoring a maximum 10.0 CVSS v4.0 across all impact metrics including subsequent system impact. The flaw was disclosed by Acer and tracked in the ENISA EUVD as EUVD-2026-33269, but no public exploit identified at time of analysis. Affects firmware W6x_GBL_2.00.000005 and earlier, with no special authentication or user interaction required.

Command Injection RCE Predator Connect W6X
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Command injection in the Acer Predator Connect W6x router allows authenticated high-privilege attackers to execute arbitrary shell commands by submitting a crafted MAC address through the Wi-Fi device blocking feature. The flaw stems from insufficient input sanitization on a value that is passed to a shell context, and at the time of analysis no public exploit has been identified and the issue is not listed in CISA KEV. With a CVSS 4.0 base score of 8.6, the bug confers full confidentiality, integrity and availability impact on the device itself.

Command Injection Predator Connect W6X
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Command injection in Dulwich (pure-Python Git implementation) versions >= 0.24.0 and < 1.2.5 allows remote attackers to execute arbitrary OS commands when a victim merges an attacker-controlled branch and has a custom merge driver configured that references the %P placeholder. The ProcessMergeDriver passes attacker-controlled file paths from the git tree into subprocess.run with shell=True, so a path like 'x; touch /tmp/pwned #' is interpreted as a shell metacharacter sequence. Publicly available exploit code exists (working POC in the GitHub Security Advisory GHSA-9277-mp7x-85jf); no public exploit in CISA KEV at time of analysis.

Command Injection RCE Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Command injection in AnythingLLM prior to 1.13.0 allows attackers chatting with an agent to execute arbitrary commands inside the server container by abusing the filesystem-search-files skill. The LLM-controlled pattern parameter is passed to ripgrep without a '--' end-of-options separator, letting a crafted pattern like '--pre=/bin/sh' coerce ripgrep into executing files as shell scripts. The default official Docker image ships with the filesystem plugin enabled, making typical deployments exploitable; no public exploit identified at time of analysis.

Docker Command Injection
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in ScadaBR allows authenticated users to abuse exposed server-side methods to create and execute arbitrary JavaScript that runs as root, resulting in full host compromise. The CVSS 9.9 rating reflects scope change and complete confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis despite the issue being formally reported by Tenable Research (TRA-2026-46).

Command Injection Scadabr
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist through bash arithmetic expansion syntax $((...)) nested inside permitted commands like echo. Because Zed is increasingly used with AI agent workflows that execute shell commands on behalf of the user, the bypass effectively neutralizes the safety boundary intended to gate dangerous operations. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-c99f-97vf-4h5h provides sufficient detail for a working PoC to be reconstructed.

Command Injection Zed
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malicious .git/config file that abuses the core.fsmonitor Git configuration option. The flaw triggers even in untrusted mode, defeating the safety boundary users expect when opening unknown repositories, and no public exploit has been identified at time of analysis though the advisory is published by the vendor.

Command Injection RCE Zed
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals because environment variable keys are passed into a shell command string without quoting or validation. An attacker who can influence project terminal settings (for example, through a shared or malicious project) can embed shell expansions such as $(...) into env var keys, achieving arbitrary command execution on the remote host as the victim user when they open a terminal. No public exploit identified at time of analysis, but the issue is fixed in Zed 0.227.1.

Command Injection Zed
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. No public exploit identified at time of analysis, and the issue requires user interaction with an attacker-supplied archive, but successful exploitation yields full code execution under the extracting user's identity.

Command Injection Pen Drive Powered By Red Hat Lightspeed Red Hat Build Of Quarkus Native Builder +9
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote root command injection in InHand Networks industrial routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to fully compromise affected devices via the WireGuard VPN feature. With CVSS 9.8 and no required privileges or user interaction, this flaw grants attackers ROOT-level control over edge industrial networking equipment. No public exploit identified at time of analysis, but a vendor advisory (InHand-PSA-2026-05) has been published.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote root command injection in InHand Networks IR302, IR305, IR315, and IR615 industrial cellular routers allows unauthenticated attackers to execute arbitrary OS commands as root via the Admin Access feature. The flaw affects IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier firmware, with CVSS 9.8 reflecting network-reachable, no-auth exploitation; no public exploit identified at time of analysis but vendor PSA-2026-05 confirms the issue.

Command Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.

RCE Java Command Injection +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary OS command execution in Microsoft's UFO intelligent-automation framework (tagged releases up to and including v3.0.0) lets a local, low-privileged attacker who can write or modify a per-session action JSON record plant a malicious shell action that is executed via PowerShell when the session is resumed or replayed. The injected command runs with the privileges of the UFO process user, yielding full confidentiality, integrity, and availability impact (CVSS 7.8, CWE-78). There is no public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied to gauge exploitation likelihood.

Microsoft Command Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation via OS command injection in pam_usb before 0.8.7 lets a low-privileged local user execute arbitrary commands as root. The flaw lives in src/tmux.c, which reads the attacker-controllable $TMUX environment variable and interpolates its socket-path component, unsanitised, inside a double-quoted string passed to popen(); a value containing a double-quote breaks out of the quoting and injects shell syntax that runs in the root-context PAM stack. No public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied, but the CVSS 8.8 (scope-changed) rating reflects straightforward, low-complexity root compromise.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Root command injection in pam_usb prior to 0.8.7 lets a local high-privileged user - or an attacker who can present a removable device with an attacker-chosen filesystem UUID - embed shell metacharacters (e.g. $(id>/tmp/rce)) that execute as root when an administrator runs pamusb-conf --reset-pads. A second injection path passes the userName value from the XML configuration directly to os.system() in pamusb-agent. No public exploit identified at time of analysis; the issue is fixed in 0.8.7.

Command Injection
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in pam_usb prior to 0.8.7 lets a low-privileged user gain the elevated privileges of the pam_usb tool chain by abusing the pamusb-pinentry helper. The helper trusts the PINENTRY_FALLBACK_APP environment variable and executes its value directly, so any process able to set that variable before pamusb-pinentry runs can have an arbitrary binary executed. There is no public exploit identified at time of analysis, and the issue is fixed in version 0.8.7; the GitHub Security Advisory (GHSA-jxrj-q67x-wr4c) is the sole reference.

Command Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthorized OS command execution in Tanium Connect allows an attacker holding low-privilege authenticated access to run arbitrary commands on the host, achieving full compromise of confidentiality, integrity, and availability. The CVSS 8.8 (network vector, low complexity, low privileges, no user interaction) reflects an authenticated remote code execution issue rooted in command injection (CWE-78). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS data was not provided.

Command Injection RCE Connect
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Command injection in Atril (MATE document viewer) and related forks Evince/Xreader allows attackers to execute arbitrary shell commands when a victim opens a maliciously crafted document. The fix, shipped in Atril 1.26.3 and 1.28.4, quotes user-supplied strings passed to the ev_spawn command line, indicating unsanitized input was being interpolated into a spawned subprocess. No public exploit identified at time of analysis, but disclosure on oss-security and Debian LTS advisories suggests Linux desktop distributions are actively patching.

Command Injection Nginx Apache
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins +4
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.

Command Injection Sherlock
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated command injection in TP-Link Archer BE450 v1 and BE7200 v1 routers lets an admin-level user run arbitrary OS commands with elevated privileges via the web management interface. The flaw stems from improper input validation (CWE-20): crafted input supplied through the management UI is passed to backend system commands without adequate sanitization, enabling full device compromise. There is no public exploit identified at time of analysis, and the CVSS 4.0 vector scopes exploitation to the adjacent network by an already-authenticated administrator.

Command Injection Archer Be450 Firmware Archer Be7200 Firmware
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation via command injection in Raynet rvia (RayVentory) 12.6.4392.49-amd64.deb allows authenticated local users to achieve arbitrary code execution by exploiting an improperly terminated find query the application uses to locate the Java runtime. The flaw is reachable through the getconfig command, the upload URL argument, and the oracle -o flag, and publicly available exploit code exists on GitHub although no active exploitation has been observed.

Java Command Injection RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a `find` command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.

Command Injection RCE Java
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.

Command Injection RCE
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

OS command injection in sipeed picoclaw v0.1.2 and earlier allows remote attackers to bypass an incomplete denylist-based sanitizer in the ExecTool component and execute arbitrary shell commands on the host. The guardCommand() function in pkg/tools/shell.go relies on only eight regex denylist patterns, which is insufficient to block the wide range of shell metacharacters and command-chaining techniques available to an attacker. No public exploit identified at time of analysis, though a third-party gist documenting the issue is referenced from NVD.

Command Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

OS command injection in the @pensar/apex Node.js agent package (versions 0.0.58 and earlier) lets a remote, unauthenticated attacker run arbitrary operating-system commands by smuggling shell metacharacters into the smart_enumerate tool's url or extensions inputs. The vulnerable createSmartEnumerateTool() routine in src/core/agent/tools.ts builds a shell command string by concatenating those untrusted values and passes it to Node.js child_process.exec(), which spawns a shell that interprets the injected characters, executing them with the privileges of the agent process. CVSS is 8.8 (network vector, low complexity, no privileges, but user/agent interaction required); the source data shows no CISA KEV listing and no EPSS score, and a referenced researcher gist may contain proof-of-concept detail though exploit code is not confirmed in the structured input.

Command Injection Node.js
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.

Command Injection RCE
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. There is no public exploit identified at time of analysis and no CISA KEV listing, but the upstream fix is released (6.17) and the patch diff is public, so the root cause is fully disclosed.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).

Command Injection RCE Connect
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attackers to run arbitrary commands on the host by submitting a malicious Spindle extension whose package.json defines lifecycle scripts. The Spindle build pipeline invokes bun install before its static safety scan and without script execution disabled, so code runs at install time on the server rather than at runtime in any sandboxed bundle. No public exploit identified at time of analysis.

Command Injection RCE Lumiverse
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Local privilege escalation in OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows unprivileged local users to execute arbitrary OS commands as root by abusing an exposed local IPC channel to the privileged background service. The flaw carries a CVSS 4.0 score of 9.4 with scope change (SC:H/SI:H/SA:H), and SSVC rates technical impact as total, though there is no public exploit identified at time of analysis and EPSS is only 0.04%.

Apple Privilege Escalation Command Injection +1
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

RCE SQLi PostgreSQL +2
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in haojing8312 WorkClaw up to version 0.6.4 allows a low-privileged remote attacker to bypass the application's blacklist-based command filter and execute arbitrary operating system commands. The flaw resides in the `is_dangerous` function within the Rust/Tauri agent's bash tool (`apps/runtime/src-tauri/src/agent/tools/bash.rs`), where an incomplete blacklist fails to block crafted payloads. A publicly available proof-of-concept exploit exists via a GitHub issue report; no vendor patch has been released as the project has not responded to the disclosure.

Command Injection Workclaw
NVD VulDB GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.

Python Command Injection Vowpal Wabbit
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Authenticated command injection in luci-app-https-dns-proxy through version 2025.12.29-5 allows a low-privileged LuCI user holding the luci.https-dns-proxy ACL permission to execute arbitrary commands as root on OpenWrt devices via shell metacharacters in the 'name' parameter of a ubus RPC call to setInitAction. Publicly available exploit code exists (Exploit-DB 52521, VulnCheck advisory), though EPSS remains low at 0.06% and the package is an optional community add-on not installed by default. Core OpenWrt installations are unaffected; only systems that explicitly opted into this LuCI add-on are at risk.

Command Injection Luci App Https Dns Proxy
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

RCE Command Injection Gitoxide
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL POC PATCH Act Now

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.

RCE Command Injection Red Hat Enterprise Linux 10 +5
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink N300RH router (firmware 6.1c.1353_B20190305) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the admpass argument sent to the setPasswordCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the SSVC framework rates technical impact as total with automatable exploitation, though EPSS remains low at 0.20%. The flaw is reachable over the network without authentication or user interaction, giving an attacker full control of the device.

Command Injection N300Rh
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE 6.2c.510 allows a low-privileged remote attacker to execute arbitrary operating system commands by manipulating the PIN argument passed to the setWiFiWpsConfig function within /cgi-bin/cstecgi.cgi. The attack requires no user interaction and is reachable over the network, making it a credible threat to any deployment exposing the device's management interface. A public proof-of-concept exploit has been published on GitHub, and EPSS places this at the 87th percentile of exploitation likelihood despite a low raw CVSS 4.0 score of 2.1 - a signal worth noting against the mismatch.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 enables remote attackers with low-level credentials to execute arbitrary operating system commands via the fwUrl and magicid parameters of the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. The firmware upgrade Setting Handler fails to sanitize user-supplied input before passing it to the underlying OS shell, exposing the device to command execution. A public proof-of-concept exploit is available on GitHub; while not yet listed in CISA KEV, the EPSS 87th-percentile ranking signals elevated real-world exploitation interest relative to the broader vulnerability landscape.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows authenticated remote attackers to execute arbitrary shell commands by manipulating the FileName argument passed to the setUploadUserData function within the /cgi-bin/cstecgi.cgi Setting Handler. A public proof-of-concept exploit is available on GitHub, meaningfully lowering the skill barrier for adversaries. While not listed in CISA KEV, the EPSS score of 2.95% at the 87th percentile signals real-world exploitation probability well above average, making this a higher practical risk than the CVSS 4.0 base score of 2.1 alone would suggest.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a network-adjacent authenticated attacker to execute arbitrary operating system commands by manipulating the FileName argument passed to the setUpgradeUboot function within the /cgi-bin/cstecgi.cgi Setting Handler. Publicly available exploit code exists, hosted on GitHub, making exploitation accessible to low-skilled attackers. No public exploit identified in CISA KEV at time of analysis, though the EPSS 87th percentile ranking signals elevated exploitation interest relative to the broader CVE population despite a low absolute probability of 2.95%.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1.

PHP Juniper Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

OS command injection in FastNetMon Community Edition through 1.2.9 lets an authenticated network attacker execute arbitrary shell commands via the MikroTik router integration plugin by influencing argv[] values passed to the unsanitized _log() function. The flaw mirrors a previously disclosed Juniper plugin issue in the same project, and while a public technical write-up exists at lorikeetsecurity.com, no public exploit code or active exploitation has been identified, with EPSS at 0.05% (17th percentile).

PHP Mikrotik Juniper +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection PHP Juniper +1
NVD GitHub VulDB
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a remote, low-privileged attacker to execute arbitrary operating system commands on the device by manipulating the plugin_version parameter in the setUnloadUserData function of /cgi-bin/cstecgi.cgi. A public proof-of-concept exploit exists on GitHub, and the EPSS percentile (87th) indicates this CVE carries meaningfully higher exploitation likelihood than the majority of published vulnerabilities despite its low CVSS 4.0 base score of 2.1. No public exploit identified as actively exploited (CISA KEV), but POC availability on a network-accessible embedded device warrants prompt attention in exposed deployments.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows authenticated remote attackers to execute arbitrary operating system commands by manipulating network diagnostic parameters in the device's CGI handler. The vulnerable function setNetworkDiag, reachable at /cgi-bin/cstecgi.cgi, passes attacker-controlled values for NetDiagHost, NetDiagPingNum, NetDiagPingSize, NetDiagPingTimeOut, and NetDiagTracertHop directly into OS command execution without sanitization. A public proof-of-concept exploit exists on GitHub; the EPSS score of 2.95% at the 87th percentile indicates elevated exploitation likelihood relative to the broader CVE population, though SSVC assessment rates the attack as not automatable.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a low-privileged remote attacker to execute arbitrary system commands on the device by manipulating the host_time argument passed to the NTPSyncWithHost function within the CGI-based Setting Handler. A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation. Despite being an OS command injection - a class of vulnerability typically associated with high-severity scores - the vendor CVSS 4.0 score of 2.1 reflects unusually low impact ratings (VC:L/VI:L/VA:L) that security teams should independently verify, as the 87th-percentile EPSS score signals that this CVE's characteristics are consistent with real-world exploitation interest.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 3% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a network-reachable, low-privilege authenticated attacker to execute arbitrary operating system commands by injecting shell metacharacters into the admuser or admpass arguments of the setPasswordCfg function within /cgi-bin/cstecgi.cgi. A public proof-of-concept exploit has been published on GitHub, materially lowering the bar for exploitation. No vendor-released patch has been identified at time of analysis, leaving affected deployments dependent on compensating controls.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 2% CVSS 2.1
LOW POC Monitor

OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows authenticated remote attackers to execute arbitrary OS commands by manipulating the webWlanIdx argument within the setWebWlanIdx function of /cgi-bin/cstecgi.cgi. A publicly available proof-of-concept exploit hosted on GitHub exists, materially lowering the skill threshold for exploitation despite the low CVSS 4.0 score of 2.1. No public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but EPSS places this at the 85th percentile, signaling elevated exploitation likelihood relative to the broader CVE population.

Command Injection Ca750 Poe
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands via the 'enable' parameter of the setParentalRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and while the EPSS score of 0.89% (76th percentile) suggests moderate predicted exploitation likelihood, the network-accessible attack surface on an edge device elevates real-world risk significantly.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'mac' parameter sent to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and SSVC rates the technical impact as total with automatable exploitation, though EPSS remains modest at 0.89% (76th percentile). No CISA KEV listing has been published at time of analysis.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the admpass parameter sent to the setPasswordCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists and the flaw is reachable over the network without user interaction, though no public exploit identified at time of analysis indicates active in-the-wild abuse via CISA KEV.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attackers to execute arbitrary operating system commands via the Comment parameter handled by the setIpQosRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists and the SSVC framework rates the technical impact as total with automatable exploitation, though no public exploit identified at time of analysis as actively exploited in the CISA KEV catalog. EPSS sits at 0.89% (76th percentile), suggesting moderate but non-trivial exploitation interest.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attackers to execute arbitrary operating system commands through the setWanCfg function in /cgi-bin/cstecgi.cgi by manipulating the 'enabled' parameter. Publicly available exploit code exists, and with CVSS 4.0 score of 8.9 (network-reachable, low complexity, no privileges required), exposed devices face high risk despite an EPSS score of 0.89% (76th percentile) indicating moderate near-term exploitation probability.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the FileName argument in the UploadFirmwareFile function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB reporting, and SSVC rates this as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile) indicating no broad mass-exploitation campaign yet observed.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

Remote OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary commands via the setOpenVpnCfg function in /cgi-bin/cstecgi.cgi by manipulating the 'enabled' argument. Publicly available exploit code exists, raising the risk of opportunistic attacks against exposed devices, though EPSS scoring (0.89%, 76th percentile) suggests moderate but not yet widespread exploitation. The flaw stems from improper neutralization of OS command elements (CWE-78) in the router's Web Management Interface.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in TOTOLINK A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the FileName parameter in the UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB disclosure, and SSVC scoring indicates the flaw is automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile). The vulnerability is no public exploit identified in CISA KEV, but POC availability combined with network-reachable management interface elevates real-world risk.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary commands via the servername parameter of the setOpenVpnCertGenerationCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub PoC), and although the EPSS score is modest (0.89%, 76th percentile), the CVSS 4.0 score of 8.9 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality, integrity, and availability impact. No CISA KEV listing has been recorded at the time of analysis.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Command injection in FoundDream miniclawd's SkillsLoader component exposes systems to remote unauthenticated arbitrary command execution via unsanitized manipulation of the `requires.bins` argument in `/src/application/skills-loader.ts`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and SSVC classifies the attack as automatable with partial technical impact. A public exploit (POC) exists via GitHub issue tracker, the vendor has not responded to disclosure, and no patch has been released - leaving affected deployments with no official remediation path.

Command Injection Miniclawd
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

OS command injection in FoundDream miniclawd allows remote unauthenticated attackers to execute arbitrary system commands via the ExecTool.execute function in /src/tools/exec.ts. All versions up to commit 2d65665046e2222eeea76cafc8570ed546a8c125 are affected, and because the project uses no versioning scheme, the full exposure window cannot be bounded by a release number. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the project maintainer has not responded to the responsible disclosure, meaning no patch is available at time of analysis.

Command Injection Miniclawd
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6478AC 1.23 exposes the router's web management interface to remote exploitation via a crafted POST request targeting the formiNICbasic endpoint. The rootAPmac parameter - likely used for wireless bridging MAC address configuration - is passed unsanitized to a system-level command, allowing an authenticated attacker with low privileges to inject arbitrary OS commands. A public proof-of-concept exploit has been released; the vendor was notified but did not respond, leaving the vulnerability unpatched. While not listed in CISA KEV, the EPSS score of 0.84% at the 75th percentile and confirmed POC availability represent a meaningful risk for exposed devices.

Command Injection Br 6478Ac
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6478AC 1.23 wireless router's formAccept POST handler allows an authenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the submit-url argument at /goform/formAccept. A public proof-of-concept exploit is documented via a Notion writeup, lowering the bar for exploitation; the vendor did not respond to responsible disclosure, leaving no patch available. No public exploit identified at time of analysis conflicts with KEV status - active exploitation is not confirmed by CISA, but EPSS at 0.84% (75th percentile) signals above-average relative exploitation interest given the public POC.

Command Injection Br 6478Ac
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6675nD 1.12 router's web management interface allows a low-privileged remote attacker to execute arbitrary OS commands by submitting a crafted value for the `interface` parameter to the `/goform/stainfo` endpoint. A public proof-of-concept exploit is available on Notion and documented via VulDB, lowering the bar for exploitation. No vendor patch has been issued; the vendor did not respond to coordinated disclosure, leaving affected deployments without an official fix.

Command Injection Br 6675Nd
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in DTStack Taier 1.4.0 permits remote low-privileged authenticated attackers to execute arbitrary operating system commands by injecting shell metacharacters into the `sqlText` parameter, which is passed unsanitized to Java's `Runtime.exec()` within the REST API. A public proof-of-concept exploit has been disclosed on GitHub. No vendor patch exists - the vendor did not respond to responsible disclosure - leaving all Taier 1.4.0 deployments without an official remediation path at time of analysis.

Command Injection Taier
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' argument passed to the setL2tpServerCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (published on GitHub), though EPSS probability remains modest at 0.94% (76th percentile), and the issue is not currently listed in CISA KEV.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter sent to the setQosCfg function of /cgi-bin/cstecgi.cgi in the Web Management Interface. Publicly available exploit code exists per VulDB submission, and the SSVC framework rates technical impact as total with automatable exploitation, though EPSS probability remains modest at 0.89%.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated remote attackers to execute arbitrary operating system commands by manipulating the wscDisabled parameter sent to the setWiFiWpsCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB disclosure, though EPSS probability remains modest at 0.89% (76th percentile) and the vulnerability is not listed in CISA KEV.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' argument passed to the setMacFilterRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB, and SSVC categorizes the technical impact as total with automatable exploitation, though EPSS remains modest at 0.89% (76th percentile).

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the bgProtection parameter in the setWiFiAdvancedCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists per VulDB, and SSVC classifies the issue as automatable with total technical impact, though EPSS exploitation probability remains modest at 0.89% (76th percentile).

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in Edimax EW-7438RPn 1.31 allows a low-privileged, remote attacker to execute arbitrary commands on the device by manipulating any of approximately 29 parameters passed to the formWlanMP function via the /goform/formWlanMP endpoint. The vulnerable parameters - including ateFunc, ateGain, ateTxCount, and e2pTxPower series - are characteristic of ATE (Automatic Test Equipment) manufacturing-mode calibration parameters left accessible in the production firmware. A public proof-of-concept exploit has been published on GitHub, and the vendor did not respond to the disclosure; no patch is available. No public exploit identified as confirmed actively exploited (CISA KEV), though the public PoC elevates real-world risk.

Command Injection Ew 7438Rpn
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Command injection in Edimax BR-6675nD firmware 1.12 enables remote attackers with administrative credentials to execute arbitrary OS commands via the `command` argument in POST requests to the `/goform/mp` endpoint. Although a public exploit exists (referenced via a Notion-hosted POC), exploitation is constrained by the requirement for high-privilege authentication (CVSS PR:H), keeping the CVSS 4.0 score at 2.0 and EPSS at 0.23%. No vendor patch is available - the vendor did not respond to pre-disclosure contact - leaving devices persistently unmitigated at the firmware level.

Command Injection Br 6675Nd
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.

Command Injection Aterm Mr51Fn Aterm Cm51Fd
NVD
Prev Page 5 of 87 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
7742

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy