Skip to main content

OS Command Injection

web CRITICAL

OS command injection occurs when an application passes unsanitized user input directly into system shell commands.

How It Works

OS command injection occurs when an application passes unsanitized user input directly into system shell commands. Instead of treating input as pure data, the shell interprets special characters as command separators or modifiers, allowing attackers to append arbitrary commands. Common injection points include system(), exec(), popen(), and backtick operators in languages like PHP, Python, and Ruby.

Attackers exploit shell metacharacters to break out of the intended command context. On both Unix and Windows, semicolons (;), pipes (|), and logical operators (&&, ||) chain multiple commands. Unix shells additionally interpret backticks and $() for command substitution, while newlines can also separate statements. For example, if an application executes ping -c 4 $USER_IP, an attacker supplying 8.8.8.8; cat /etc/passwd causes the server to run two commands sequentially.

Attacks manifest in three variants. Visible injection returns command output in the HTTP response, giving immediate feedback. Blind injection produces no direct output, requiring time-based detection (using sleep or timeout commands) or out-of-band confirmation via DNS lookups or HTTP callbacks to attacker-controlled servers. Attackers can also redirect output to web-accessible files for later retrieval.

Impact

  • Complete server compromise — execute any command with the application's privileges, often www-data or root
  • Lateral movement — scan internal networks, pivot to backend systems unreachable from the internet
  • Data exfiltration — dump databases, read configuration files containing credentials, access sensitive business data
  • Persistence mechanisms — install cron jobs, add SSH keys, deploy web shells for continued access
  • Denial of service — crash services, fill disk space, consume CPU resources
  • Supply chain attacks — modify application code or deployment artifacts to compromise downstream users

Real-World Examples

The Ivanti Cloud Service Appliance suffered CVE-2024-8190, where command injection in the administrative interface allowed unauthenticated attackers to execute arbitrary OS commands. CISA added it to the Known Exploited Vulnerabilities catalog after observing active exploitation against enterprise networks.

GitLab experienced multiple command injection vulnerabilities over the years, including issues in repository import functionality where Git URLs containing shell metacharacters were passed unsanitized to system commands, enabling remote code execution on self-hosted instances.

Network equipment frequently contains these flaws. Various Netgear routers have exhibited command injection in ping diagnostic tools, where user-supplied IP addresses were concatenated directly into shell commands without validation, granting attackers complete device control.

Mitigation

  • Eliminate OS commands entirely — use native language libraries (filesystem APIs, network functions) instead of shelling out
  • Strict input allowlisting — permit only exact matches against predefined values; validate format with regex before any processing
  • Parameterized execution APIs — use execve() or language equivalents that pass arguments as arrays, bypassing the shell interpreter completely
  • Principle of least privilege — run application processes with minimal permissions to limit compromise impact
  • Input validation — enforce expected patterns (IP addresses, alphanumeric IDs) but never rely on blacklisting metacharacters

Recent CVEs (7743)

EPSS 0% CVSS 8.5
HIGH This Week

An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.

Command Injection Aterm Mr51Fn Aterm Cm51Fd
NVD
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the TOTOLINK A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter passed to the setStaticDhcpRules function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists and SSVC rates this as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile). Exploitation requires no authentication or user interaction, making any internet-exposed management interface a high-priority target.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the firewallType parameter sent to /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the SSVC framework rates the technical impact as total with automatable exploitation, though it is not currently listed in CISA KEV. EPSS sits at 0.89% (76th percentile), suggesting moderate but not yet widespread opportunistic exploitation.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands via the 'enable' parameter of the setRemoteCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, raising the practical risk despite the device not being listed in CISA KEV; EPSS sits at 0.89% (76th percentile), reflecting moderate predicted exploitation likelihood.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter passed to the setGameSpeedCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, raising the practical threat despite a modest EPSS score of 0.89% (76th percentile). No active exploitation has been confirmed via CISA KEV at time of analysis.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary shell commands by manipulating the 'provider' argument passed to the setDdnsCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (CVSS 4.0 base 8.9, EPSS 0.89%), and no CISA KEV listing has been issued, but the combination of zero-privilege network exploitation and a working PoC against consumer/SOHO networking gear makes this a high-priority issue for any exposed device.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6675nD 1.12 router firmware allows authenticated remote attackers to execute arbitrary OS commands by manipulating over two dozen POST parameters in the formWlanMP wireless calibration handler. The vulnerable endpoint exposes ATE (Automated Test Equipment) and EEPROM power calibration parameters - none requiring special configuration to be present - that pass user input unsanitized to a system-level command interpreter. A publicly available proof-of-concept exploit exists, no vendor patch has been released, and the vendor did not respond to responsible disclosure, leaving affected deployments permanently unmitigated absent compensating controls.

Command Injection Br 6675Nd
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6675nD 1.12 router's web management interface allows remote authenticated attackers to execute arbitrary OS commands by manipulating the sub_dir parameter of POST requests to the /goform/formUSBStorage endpoint. The vulnerability stems from unsanitized input passed directly to a system-level command in the formUSBStorage function (CWE-77). A public proof-of-concept exploit has been published, the vendor has not responded to disclosure, and no patch is available, leaving all known-affected deployments without an official remediation path.

Command Injection Br 6675Nd
NVD VulDB
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the TOTOLINK A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'mode' parameter sent to the setScheduleCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (published via VulDB and a GitHub PoC), though there is no public exploit identified as actively exploited in the wild and EPSS probability is modest at 0.89%. The flaw resides in the device's Web Management Interface and can be triggered over the network without user interaction, making any internet-exposed device immediately at risk.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands via the resetFlags parameter handled by the setUpgradeFW function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the SSVC framework classifies exploitation as automatable with total technical impact, though EPSS remains modest at 0.89% (76th percentile).

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands through the setLanguageCfg function in /cgi-bin/cstecgi.cgi. The flaw is triggered by manipulating the lang argument in the Web Management Interface, with publicly available exploit code existing and SSVC classifying the issue as automatable with total technical impact. EPSS sits at 0.89% (76th percentile), indicating moderate but non-trivial exploitation probability.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

Remote OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows unauthenticated attackers to execute arbitrary operating system commands by manipulating the 'command' argument in the setTracerouteCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the CVSS 4.0 vector confirms network-reachable, low-complexity exploitation without authentication or user interaction, though EPSS remains modest at 0.89% (76th percentile) and the issue is not listed in CISA KEV.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 8.9
HIGH POC This Week

OS command injection in the Totolink A8000RU router (firmware 7.1cu.643_b20200521) allows remote unauthenticated attackers to execute arbitrary operating system commands via the ip parameter handled by the setDiagnosisCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the CVSS 4.0 score of 8.9 reflects high impact across confidentiality, integrity, and availability. EPSS is moderate at 0.89% (76th percentile), and the vulnerability is not currently listed in CISA KEV.

Command Injection A8000Ru
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6675nD 1.12 router's WPS start handler allows remote attackers with low-privilege authentication to execute arbitrary OS-level commands by supplying unsanitized shell metacharacters in the pinCode POST parameter of /goform/formWpsStart. Publicly available exploit code exists, confirmed via a Notion-hosted proof-of-concept referenced in VulDB reporting. The vendor was notified prior to disclosure but did not respond, and no patch has been released - leaving affected deployments without a vendor-supported remediation path.

Command Injection Br 6675Nd
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6675nD firmware 1.12 exposes the POST handler at /goform/formHwSet to OS-level command execution through multiple unsanitized parameters including regulatory domain and MAC address fields. Remote attackers holding low-privilege credentials can exploit this without user interaction, as confirmed by a publicly released proof-of-concept. The vendor was notified prior to disclosure but did not respond, leaving no official patch and no coordinated remediation path.

Command Injection Br 6675Nd
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands through the terminal_tool component's approval mechanism. The vulnerability affects all versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and has publicly available exploit code demonstrating the attack. The vendor has not responded to disclosure attempts, leaving users without an official patch.

Command Injection Hermes Agent
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax EW-7438RPn 1.12 allows authenticated remote attackers to execute arbitrary OS commands via the 'method' parameter in the formEZCHNwlanSetup POST handler at /goform/formEZCHNwlanSetu. Public exploit code exists (CVSS E:P), enabling low-complexity attacks that compromise confidentiality, integrity, and availability at low impact levels. EPSS data not available. Not currently listed in CISA KEV, suggesting targeted rather than widespread exploitation. Vendor was notified but has not issued a patch or advisory.

Command Injection Ew 7438Rpn
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax EW-7438RPn 1.12 allows authenticated remote attackers to execute arbitrary operating system commands via the max_Conn and timeOut parameters in the formConnectionSetting endpoint. The vulnerability requires low-privilege authentication but no user interaction, with public exploit code available. EPSS data not available; vendor unresponsive to disclosure.

Command Injection Ew 7438Rpn
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Remote command injection in Edimax EW-7438RPn 1.12 allows authenticated attackers to execute arbitrary OS commands by manipulating the submit-url parameter in the formAccept function via /goform/formAccep endpoint. Public exploit code is available (EPSS not provided in input data). Vendor was notified but has not responded or issued a patch, leaving devices vulnerable to takeover by users with low-level credentials.

Command Injection Ew 7438Rpn
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax EW-7438RPn 1.28a allows authenticated remote attackers to execute arbitrary system commands via crafted POST parameters to the /goform/formHwSet endpoint. The vulnerability affects the formHwSet function's handling of multiple configuration parameters including Antenna, Mcs, regDomain, MAC addresses, SSID, and channel settings. Public exploit code exists (CVSS E:P), significantly lowering the barrier to exploitation, though CISA KEV does not list active widespread exploitation at time of analysis.

Command Injection Ew 7438Rpn
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in Edimax EW-7438RPn WiFi range extender firmware versions up to 1.31 allows authenticated remote attackers to execute arbitrary system commands via the formWizSurvey web interface. The vulnerability exists in the /goform/formWizSurvey endpoint where input validation fails on the ip, mask, and gateway parameters. Publicly available exploit code exists (GitHub POC published), though no active exploitation has been confirmed by CISA KEV. EPSS data not available for this recent CVE. Vendor notified but non-responsive, indicating no official patch is forthcoming.

Command Injection Ew 7438Rpn
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in Edimax EW-7438RPn firmware (versions up to 1.31) allows authenticated remote attackers to execute arbitrary system commands via the pinCode parameter in the formWpsStart function. Public exploit code is available on GitHub, enabling low-complexity attacks against the WPS configuration interface. The vendor has not responded to vulnerability disclosure, leaving no official patch available. EPSS data not provided, but public POC availability significantly increases exploitation risk for internet-exposed devices with weak admin credentials.

Command Injection Ew 7438Rpn
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in the Edimax BR-6428NS 1.10 wireless router's web management interface allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the repeaterSSID parameter in a POST request to /goform/formWlbasic. A publicly available proof-of-concept exploit exists, raising the practical risk above what the moderate CVSS score of 6.3 alone suggests. The vendor was notified prior to disclosure but did not respond, meaning no vendor-supplied patch exists at time of analysis.

Command Injection Br 6428Ns
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6428NS firmware version 1.10 exposes the device's operating system to remote command execution via the /goform/formWlanM POST request handler. An authenticated remote attacker (PR:L per CVSS) can manipulate any of 29+ wireless calibration and ATE parameters - including ateFunc, ateGain, e2pTxPower series, and readE2P - to inject arbitrary shell commands into the device OS. No vendor patch exists as Edimax did not respond to responsible disclosure; a publicly available exploit exists, and the breadth of vulnerable parameters indicates a systemic absence of input sanitization across the wlanM form handler.

Command Injection Br 6428Ns
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant remote code execution in Nezha Monitoring dashboard (versions >= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97) allows any authenticated RoleMember user to execute arbitrary shell commands as root on every monitored agent host in the deployment. The flaw stems from cron API endpoints being gated by commonHandler instead of adminHandler, combined with a vacuous-true permission check when the Servers list is empty, enabling fanout to all tenants' servers. No public exploit identified at time of analysis, but a complete proof-of-concept is included in the GitHub Security Advisory.

SSRF Command Injection
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Microsoft Command Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot exposes sensitive information to unauthenticated remote attackers when a victim user interacts with attacker-controlled content, resulting in High confidentiality impact with no integrity or availability effect. The vulnerability carries a CVSS 6.5 (Medium) score, reflecting network accessibility and low attack complexity offset by a mandatory user interaction requirement. No public exploit code exists at time of analysis, and Microsoft has released an official patch documented via the Microsoft Security Response Center.

Command Injection Microsoft 365 Copilot
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Microsoft Command Injection
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Shell command injection in the npm shell-quote library (versions >= 1.1.0, <= 1.8.3) lets attacker-influenced object tokens smuggle a literal newline through quote(), turning the supposedly shell-safe output into multiple commands. The .op field of an object token was escaped character-by-character with /(.)/g, which in JavaScript does not match line terminators, so a newline survived unescaped and POSIX shells treat everything after it as a second command. Publicly available exploit code exists and a vendor patch (1.8.4) is released, though EPSS is low (0.05%) and SSVC marks current exploitation as none, indicating opportunity-but-not-yet-widespread risk.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

Ubiquiti Command Injection Unifi Os Server
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Ubiquiti Command Injection Unifi Os Server +30
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Command injection in KnpLabs Snappy PHP library (versions <= 1.7.0) allows attackers to execute arbitrary OS commands when the wkhtmltopdf/wkhtmltoimage binary path is attacker-influenced. An inverted is_executable() check around escapeshellarg() renders the safe branch dead code, causing the binary path to be concatenated unescaped into the shell command. Publicly available exploit code exists (vendor-published PoC in the advisory), but no public exploit identified at time of analysis in CISA KEV.

PHP Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Arbitrary command execution in Fission's builder component (pkg:go/github.com/fission/fission <= 1.22.0) allows any principal with create or update privileges on Environment CRDs to redirect the builder pod to execute any binary reachable via $PATH inside the builder image. The vulnerable call site at pkg/builder/builder.go:254 passes the unsanitized Environment.spec.builder.command value directly to exec.Command after a strings.Fields split, enabling attackers to specify paths such as /bin/sh -c '...' as the build command. No public exploit has been identified at time of analysis, but the patch is confirmed released in v1.23.0 and the exploit primitive requires only a single Kubernetes API write to trigger.

RCE Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 8.4
HIGH PATCH This Week

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

RCE Zoho Command Injection
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.

Command Injection Freebsd
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS records by exploiting insufficient validation of DNS names received during AXFR (zone transfer) processing. The CVSS changed-scope indicator (S:C) reflects that the high-integrity impact extends beyond the vulnerable server itself to all downstream systems consuming the corrupted zone data, enabling a form of DNS record poisoning. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) constrains exploitation to adversaries with specific network positioning or control over a zone transfer source.

Command Injection Authoritative
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Honeywell Control Network Module (CNM) versions 100.1 through 110.2 allows authenticated high-privilege attackers to inject arbitrary OS commands through the device's web interface using command delimiters. The flaw carries a CVSS 9.1 rating due to scope change and full CIA impact, and no public exploit identified at time of analysis, though the industrial-control context makes any RCE highly consequential. Honeywell has released a patch via its process.honeywell.com portal.

Honeywell RCE Command Injection
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Shell injection in Netatalk 3.1.0 through 4.4.2 allows a high-privileged local attacker to execute arbitrary OS commands by embedding shell metacharacters in a configured volume path value. The flaw (CWE-78) arises because volume path strings are passed to a shell interpreter without sanitization, meaning any actor with write access to Netatalk's volume configuration can achieve full command execution under the Netatalk process context. No public exploit code has been identified at time of analysis, and the vendor has released a fix in version 4.4.3.

Command Injection Suse
NVD
EPSS 0% CVSS 3.0
LOW Monitor

OS command injection in Netatalk 2.2.1 through 4.4.2 arises from a code path that invokes system() after a failed chdir() call, classified under CWE-78. Exploitation requires local access with high privileges and high attack complexity, and yields only low-integrity and low-availability impact with no confidentiality exposure, reflected in the CVSS score of 2.5. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor-released fix is available in version 4.5.0.

Command Injection Netatalk
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Shell injection in Netatalk 3.1.4 through 4.4.2 allows authenticated remote attackers to execute arbitrary OS commands through a bitwise-OR logic flaw, achieving full confidentiality, integrity, and availability impact (CVSS 7.5). Netatalk is the open-source AFP (Apple Filing Protocol) server commonly deployed on Linux/BSD NAS appliances to share files with macOS clients. The flaw was fixed in version 4.4.3; no public exploit identified at time of analysis and the issue is not currently in CISA KEV.

Command Injection Suse
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in HP Linux Imaging and Printing Software (HPLIP) allows authenticated low-privileged users to execute arbitrary OS commands via command injection, potentially gaining elevated privileges on affected Linux hosts. The CVSS 4.0 score of 8.5 reflects high impact to confidentiality, integrity, and availability with low attack complexity, and no public exploit identified at time of analysis. The vulnerability is reported directly by HP PSIRT under advisory hpsbpi04118.

HP RCE Command Injection +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.

Cisco Command Injection
NVD
EPSS 2% CVSS 5.6
MEDIUM PATCH This Month

Command injection in shivammathur/setup-php (versions 2.25.0 through 2.37.0) allows an attacker who can influence repository files to execute arbitrary commands on a GitHub Actions runner when the action resolves the PHP version from attacker-controlled content. The risk is highest in privileged workflows using pull_request_target that check out untrusted PR code before invoking setup-php, potentially exposing repository secrets and CI/CD infrastructure. No public exploit code or KEV listing exists at time of analysis, but the attack is realistic in any project using this common CI action pattern with auto-merging or cross-repo workflows.

PHP Command Injection
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Command injection in Dell SmartFabric Storage Software versions prior to 1.4.5 enables a high-privileged local attacker to gain unauthorized read and write access to the underlying filesystem. Exploitation requires local system presence and high-level privileges, with the CVSS vector (AV:L/AC:H/PR:H) indicating a constrained threat surface despite the high confidentiality, integrity, and availability impact scores. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Dell Command Injection
NVD
EPSS 0% CVSS 6.8
MEDIUM Exploit Likely This Month

Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Microsoft Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. The advisory reports active exploitation in the wild, though no CISA KEV listing is present in the supplied data.

PHP RCE Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Kopia backup server (≤ 0.22.3) allows unauthenticated attackers to run arbitrary OS commands as the Kopia process user via a single HTTP request to /api/v1/repo/exists when the server is launched with --without-password. Publicly available exploit code exists through the published GHSA advisory and PR diff; no public exploit identified at time of analysis as being weaponized in the wild, but the trivially exploitable vector (CVSS 9.8) and detailed write-up make weaponization straightforward. The bug stems from naive space-splitting of attacker-controlled sshArguments that is fed to exec.CommandContext("ssh"), letting an -oProxyCommand= token trigger $SHELL -c execution before any SSH transport is established.

SSH Command Injection
NVD GitHub
EPSS 1% CVSS 8.7
HIGH Act Now

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

Command Injection Scadabr
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. No public exploit has been confirmed at time of analysis and this CVE is not listed in the CISA KEV catalog, though a researcher disclosure page is referenced.

Command Injection N A
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter.

Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote command execution in hitarth-gg Zenshin before 2.7.0 allows unauthenticated attackers to run arbitrary OS commands by sending a crafted url query parameter to the /stream-to-vlc Express route, which passed user input directly into a Node.js child_process.exec shell invocation. No public exploit identified at time of analysis, but a detailed write-up gist and the upstream fix commit publicly expose the vulnerable code path. EPSS is low (0.13%, 32nd percentile) but CVSS is 9.8 reflecting the trivial nature of the injection.

Command Injection N A
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

OS command injection in Dokploy self-hosted PaaS (versions <= 0.26.6) allows an authenticated low-privileged user to achieve server-level remote code execution by injecting shell metacharacters into the appName parameter when creating an application or database. The cleanAppName sanitizer only lowercases and strips spaces, leaving characters like ;, $(), backticks, |, and & to be passed directly into execAsync()/execAsyncRemote() shell interpolation when service lifecycle operations run. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, but the GitHub commit diff publicly demonstrates the vulnerable code path.

Command Injection
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.

RCE Microsoft Command Injection +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

OS command injection in the Arcane backend volume browser endpoint (all versions ≤ 1.18.1) allows any authenticated user - including non-admin roles - to execute arbitrary shell commands inside the per-volume helper container by supplying Bourne shell metacharacters such as `$()` in the `path` query parameter of `GET /environments/{id}/volumes/{volumeName}/browse`. The path sanitizer at `volume_service.go:1448-1467` blocks only `../` traversal and passes shell substitution sequences through unchanged; `strconv.Quote` wraps the path in Go-style double quotes, which POSIX `sh` still interprets as a command-substitutable string, causing the injected command to execute and its output to be reflected in the HTTP 500 error body. No vendor-released patch exists at time of analysis; publicly available exploit code is embedded in the GHSA advisory (GHSA-9mvm-4gwg-v8mp) and no confirmed active exploitation (CISA KEV) has been reported.

Docker Path Traversal Command Injection
NVD GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6428NS firmware v1.10 allows authenticated remote attackers to execute arbitrary system commands via the stadrv_ssid parameter in POST requests to /goform/formStaDrvSetup. Public exploit code is available (documented in VulDB and researcher's Notion page), enabling low-complexity attacks against networks where attackers have obtained low-privilege credentials. The vendor received early disclosure but provided no response, leaving no official patch timeline.

Command Injection Br 6428Ns
NVD VulDB
EPSS 1% CVSS 2.1
LOW POC Monitor

Command injection in Edimax BR-6228NC version 1.22 allows authenticated remote attackers to execute arbitrary OS commands by manipulating the 'command' parameter in POST requests to /goform/mp endpoint. Public exploit code exists, increasing exploitation risk despite requiring low-privilege authentication. EPSS data not available, but the presence of working exploit demonstrates confirmed weaponization. Vendor has not responded to disclosure and no patch has been announced.

Command Injection Br 6228Nc
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.

Command Injection
NVD GitHub VulDB
EPSS 1% CVSS 1.3
LOW POC Monitor

OS command injection in Vercel AI SDK versions up to 3.0.97 allows authenticated remote attackers with pull request creation privileges to execute arbitrary commands on CI/CD runners through malicious branch names. The vulnerability resides in the prettier-on-automerge GitHub Actions workflow, which insecurely interpolates PR branch names into shell commands. A public proof-of-concept exploit exists (disclosed via GitHub Gist), demonstrating feasibility despite CVSS 4.0 rating the complexity as high (AC:H) and exploitability as difficult. The vendor (Vercel) was notified but has not responded, and no patch availability is confirmed from vendor sources at time of analysis.

Command Injection Ai Vercel
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC Monitor

Remote command injection in Kodbox fileThumb plugin (versions up to 1.64) allows authenticated attackers to execute arbitrary system commands by manipulating the ffmpegBin parameter in video processing functions. Publicly available exploit code increases immediate risk. EPSS data not available, but CVSS temporal metrics indicate confirmed proof-of-concept exploitation (E:P). Vendor has not responded to disclosure, leaving patch status uncertain.

Command Injection PHP
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.

Command Injection Apache Nginx +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Authentication Bypass PostgreSQL Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files containing ZMODEM protocol headers. The vulnerability exploits automatic ZMODEM detection that injects commands into the user's shell when displaying malicious content with common commands like 'cat'. Real-world risk is moderate (EPSS data not provided) as it requires local access and user interaction, but enables code execution without explicit user consent beyond viewing a file.

Command Injection RCE Tabby
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.

Command Injection Tabby
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Command injection in the Turborepo LSP VS Code extension before version 2.9.14000 allows arbitrary code execution when opening malicious workspaces. The vulnerability stems from unsafe string interpolation in shell commands, enabling attackers to inject commands through workspace settings or task names that execute with the user's VS Code process privileges. The CVSS 4.0 score of 8.4 indicates high severity with local access and user interaction required.

Command Injection Turborepo Vercel
NVD GitHub VulDB
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Command injection in Vim 9.x text editor allows local attackers to execute arbitrary shell commands when a user opens specially crafted .tgz archive filenames. The vulnerability exploits insufficient sanitization in the tar#Vimuntar() function's shellescape() call, enabling cmdline-special character expansion. Exploitation requires user interaction (opening the malicious archive) and high attack complexity (filename manipulation), limiting real-world risk despite the command injection class. Fixed in version 9.2.0479 via GitHub commit 3fb5e58f. No evidence of active exploitation or public POC beyond the vendor's test case.

Command Injection Vim
NVD GitHub VulDB
EPSS 1% CVSS 7.3
HIGH This Week

Command injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to execute arbitrary OS commands through the CommandHelper.executeCommands method. The vulnerability stems from unsanitized command strings being passed directly to a shell process's standard input. With an EPSS score indicating moderate exploitation likelihood and SSVC assessment showing automatable attacks with total technical impact, this represents a significant risk despite no current KEV listing or confirmed active exploitation.

Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows unauthenticated attackers to inject malicious JavaScript into unsanitized 'data' parameter, achieving arbitrary code execution on Node.js backend servers. Critical vulnerability (CVSS 4.0: 10.0) with complete system compromise potential affecting server confidentiality, integrity, and availability. Vendor-released patch available in version 0.7.6. No confirmed active exploitation (not in CISA KEV), but command injection via web-accessible APIs typically sees rapid weaponization once disclosed.

Command Injection RCE Node.js
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in Delphix Continuous Data database connectors allows authenticated attackers with low-privilege network access to execute arbitrary operating system commands on staging or target hosts. The vulnerability affects multiple database connector types (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) due to improper input validation (CWE-78). Network-based exploitation with low complexity (AV:N/AC:L) requires authentication (PR:L) but no user interaction, resulting in complete compromise of confidentiality, integrity, and availability on affected connector hosts. Vendor Perforce has published an advisory; no CISA KEV listing or public exploit identified at time of analysis.

Command Injection Ibm Db2 Connector Mangodb Connector +11
NVD VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Python Microsoft Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in HRConvert2 self-hosted file conversion server allows unauthenticated attackers to execute arbitrary commands via shell metacharacters in filenames. The sanitizeString() function in convertCore.php fails to filter backticks and tab characters before passing user input to shell_exec(), enabling command injection that executes in the web server context (www-data). According to the vendor, exploitation can achieve complete server takeover through two methods: backtick-based command injection or tab-based file dropping. Fixed in version 3.3.8 released May 2026. EPSS data unavailable; no confirmed active exploitation (not in CISA KEV), but the vendor confirms the vulnerability is exploitable and rates severity as critical.

PHP Command Injection
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in mdserver-web Linux panel versions 0.18.0 through 0.18.4 allows unauthenticated remote attackers to execute arbitrary system commands by exploiting unprotected scheduled task management endpoints. Attackers can modify built-in cron jobs via the /modify_crond interface and trigger execution through /start_task without any authentication, achieving complete system compromise. No public exploit code or active exploitation confirmed at time of analysis, though the attack complexity is rated low with network-based access vector.

Command Injection Mdserver Web
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Command injection in @apostrophecms/cli apos create command allows arbitrary command execution when a user supplies specially crafted input during the interactive password prompt. The vulnerability exists in lib/commands/create.js line 186, where user-supplied password input is passed directly into a shell exec() call without sanitization or escaping, enabling attackers to inject shell metacharacters (;, &&, $()) to execute arbitrary commands with the privileges of the user running the CLI. Exploitation requires user interaction (UI:R) and high privilege context (PR:H), but publicly available proof-of-concept demonstrates successful arbitrary code execution on Ubuntu systems with Node.js.

Command Injection Ubuntu Privilege Escalation +2
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OS command injection in Fleet's software installer pipeline allows arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when a specially crafted software package is uninstalled. The vulnerability exists because package metadata fields are not sanitized before being incorporated into auto-generated uninstall scripts. An attacker with the ability to upload packages to Fleet can exploit this by embedding malicious commands in package metadata fields, resulting in code execution with elevated privileges when endpoints execute the uninstall operation. Patch version 4.81.1 available.

Microsoft Apple Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Command injection in CFEngine Enterprise and Community editions before versions 3.21.8, 3.24.3, and 3.27.0 enables remote unauthenticated attackers to execute arbitrary commands on the system. The vulnerability has an EPSS score of 0.15% indicating relatively low exploitation probability, and no public exploit identified at time of analysis. SSVC framework rates this as automatable with total technical impact, suggesting high potential severity if exploited.

Command Injection
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Web::Passwd 0.03 and earlier allows unauthenticated network attackers to execute arbitrary system commands with web server privileges via command injection in the user parameter. The CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication or user interaction. EPSS score is low (0.04%, 12th percentile), suggesting limited real-world exploitation observed to date. No active exploitation confirmed by CISA KEV at time of analysis, though publicly available exploit code exists per oss-security disclosure.

Command Injection Web
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authenticated remote code execution in OPNsense firewall versions prior to 26.1.8 allows a user with user-management privileges to execute arbitrary commands as root by smuggling shell payloads inside an email-address-formatted field processed by the local user synchronization script. Publicly available exploit code exists per SSVC, though EPSS scoring (0.13%) indicates low predicted mass exploitation; SSVC classifies technical impact as total but automation as no. No active exploitation has been confirmed in CISA KEV at time of analysis.

PHP RCE Command Injection +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape system restrictions and execute arbitrary commands with root-level privileges on affected firewalls and Panorama management platforms. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series appliances) across PAN-OS versions 10.2, 11.1, 11.2, and 12.1. An attacker who already holds administrative credentials and can reach the CLI or Web UI can leverage these flaws to fully compromise the underlying OS. No public exploit code exists and no KEV listing is present at time of analysis, consistent with the very low EPSS score of 0.08% (24th percentile).

Paloalto Command Injection Cloud Ngfw +2
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Command injection in U-SPEED AC1200 Gigabit Wi-Fi Router (Model T18-21K) V1.0 allows authenticated administrators to execute arbitrary system commands with elevated privileges through the Network Time Protocol (NTP) configuration interface. The vulnerability stems from insufficient input sanitization in NTP settings fields, enabling full system compromise. CVSS score of 7.2 reflects high impact across confidentiality, integrity, and availability. Public proof-of-concept code exists via GitHub repository (N0tMilk/vulnerability-research), though no active exploitation has been confirmed via CISA KEV at time of analysis. EPSS data not available for risk probability assessment.

Command Injection T18 21K Firmware
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions ≤ 3.6.5) escalates to arbitrary OS command execution on the Electron desktop client because the kernel sanitizer in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description while passing Name and Version straight to innerHTML sinks. Any attacker who can publish a plugin/theme/template/widget/icon manifest to the public Bazaar - or otherwise drop a malicious plugin.json into the workspace - triggers zero-click code execution the moment a victim opens Settings → Marketplace → Downloaded → Plugins. A detailed POC against b3log/siyuan:v3.6.5 is published in the GHSA advisory; publicly available exploit code exists, though EPSS remains low at 0.04%.

XSS Command Injection Canonical +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in uniget (gitlab.com/uniget-org/cli) before v0.27.1 enables arbitrary shell command execution when the CLI processes attacker-controlled tool metadata. The `check` field from JSON metadata is concatenated into a `/bin/bash -c` invocation by `RunVersionCheck()` in tool.go, so common operations like `describe`, `install`, `update`, or `inspect` trigger execution under the invoking user's privileges. Publicly available exploit code exists (vendor PoC in GHSA-qqq4-5773-pmw5); EPSS is low at 0.03% (10th percentile) and the issue is not in CISA KEV.

Docker RCE Command Injection
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in Node.js systeminformation library (versions 4.17.0 through 5.31.5) allows local authenticated attackers with NetworkManager configuration rights to execute arbitrary shell commands when networkInterfaces() is called on Linux systems. The vulnerability stems from unsanitized NetworkManager connection profile names being interpolated into three shell command strings executed via execSync(). While the library sanitizes network interface names, it fails to apply equivalent sanitization to connection profile names parsed from nmcli output. The vendor has released patch version 5.31.6. CVSS score of 7.8 (High) reflects local attack vector requiring low privileges, but successful exploitation grants full process privileges-critical when the calling application runs with elevated rights, as is common in monitoring agents, inventory tools, and system management dashboards.

Node.js Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches.

Command Injection Lenovo
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Remote command injection in F5 BIG-IP Appliance mode allows high-privilege authenticated attackers to execute arbitrary OS commands through an undisclosed iControl REST endpoint, crossing security boundaries between management and administrative contexts. CVSS 8.7 with scope change (S:C) indicates container escape or privilege domain breach. F5 has released vendor patches per advisory K000160857. No public exploit code or CISA KEV listing identified at time of analysis, limiting immediate mass-exploitation risk despite network attack vector.

Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated attackers with Resource Administrator or Administrator role can execute arbitrary system commands via undisclosed iControl REST or BIG-IP TMOS Shell (tmsh) commands, potentially escalating privileges and crossing security boundaries in Appliance mode deployments. CVSS 6.5 reflects high privileges required (PR:H) but high confidentiality and integrity impact. No public exploit code identified at time of analysis.

Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

OS command injection in ELECOM wireless LAN access points (WRC-BE72XSD, WRC-BE65QSD, WRC-W702 series) allows unauthenticated remote attackers to execute arbitrary system commands via crafted username parameter without authentication. The vulnerability affects multiple enterprise and consumer access point models running firmware v1.1.0-1.1.1, with public disclosure by JPCERT/CC and vendor advisory available from ELECOM. CVSS 4.0 score of 9.3 reflects critical severity with network attack vector, low complexity, and no privilege requirements, enabling complete system compromise of affected wireless infrastructure devices.

Command Injection Wrc Be72Xsd B Wrc Be72Xsd Ba +2
NVD
Prev Page 6 of 87 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
7743

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy