CWE-77: Command Injection
The product constructs all or part of a command using externally-influenced input, but does not neutralize special elements that could modify the intended command.
Yearly Trend
Top Affected Vendors
All Command Injection CVEs (1,157)
This vulnerability allows unauthenticated attackers to execute arbitrary commands on affected NETGEAR WiFi systems. It affects RBK852, RBR850, and RBS...
Oct 9, 2020This vulnerability allows unauthenticated attackers to execute arbitrary commands on NETGEAR R8300 routers by exploiting a command injection flaw. Att...
Sep 1, 2020CVE-2025-46816 is a critical command injection vulnerability in goshs (SimpleHTTPServer written in Go) that allows unauthenticated remote attackers to...
May 6, 2025CVE-2020-28435 is a command injection vulnerability in the ffmpeg-sdk npm package that allows attackers to execute arbitrary commands on affected syst...
Jul 25, 2022This command injection vulnerability in Copilot allows unauthorized attackers to execute arbitrary commands on affected systems, potentially leading t...
Oct 9, 2025This command injection vulnerability in Copilot allows unauthorized local attackers to execute arbitrary commands, potentially leading to information ...
Oct 9, 2025CVE-2024-23346 is a critical remote code execution vulnerability in Pymatgen's JonesFaithfulTransformation.from_transformation_str() method that uses ...
Feb 21, 2024This vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail ...
Jan 8, 2026CVE-2025-67397 is a command injection vulnerability in Passy v1.6.3 that allows authenticated remote attackers to execute arbitrary commands on affect...
Jan 5, 2026This vulnerability in tj-actions/branch-names GitHub Action allows arbitrary command execution in downstream workflows due to improper input sanitizat...
Jul 26, 2025This vulnerability allows authenticated attackers to execute arbitrary commands as root on Ruckus Unleashed wireless controllers by exploiting insuffi...
Jul 21, 2025A command injection vulnerability in gluestack-ui's GitHub Actions workflow allowed attackers to execute arbitrary shell commands on the Actions runne...
Jul 1, 2025CVE-2024-54794 is a command injection vulnerability in SpagoBI 3.5.1 that allows attackers to execute arbitrary code through the script input feature....
Jan 21, 2025This vulnerability in IBM Sterling Secure Proxy allows privileged users to execute arbitrary operating system commands through improper input validati...
Jan 19, 2025This CVE describes multiple OS command injection vulnerabilities in the Wavlink AC3000 router's web interface. Authenticated attackers can execute arb...
Jan 14, 2025This CVE describes multiple OS command injection vulnerabilities in the Wavlink AC3000 router's internet.cgi functionality. An authenticated attacker ...
Jan 14, 2025This CVE describes multiple OS command injection vulnerabilities in Wavlink AC3000 routers that allow authenticated attackers to execute arbitrary com...
Jan 14, 2025This vulnerability allows authenticated attackers to execute arbitrary operating system commands on Wavlink AC3000 routers through the nas.cgi interfa...
Jan 14, 2025This CVE describes an authenticated OS command injection vulnerability in the Wavlink AC3000 router's firewall.cgi functionality. Attackers with valid...
Jan 14, 2025This vulnerability allows authenticated remote attackers to execute arbitrary operating system commands on Kasda LinkSmart Router KW5515 devices via C...
Nov 20, 2024This CVE describes multiple OS command injection vulnerabilities in Kasda LinkSmart Router KW6512 firmware. Authenticated remote attackers can execute...
Nov 20, 2024A prompt injection vulnerability in Netangular Technologies ChatNet AI v1.0 allows attackers to bypass chat restrictions and exfiltrate all chat data,...
Oct 24, 2024A command injection vulnerability in Vilo 5 Mesh WiFi System allows authenticated attackers to execute arbitrary shell commands by injecting them into...
Oct 21, 2024This vulnerability allows remote attackers to execute arbitrary commands on FlashArray and FlashBlade Purity storage systems by sending specially craf...
Sep 23, 2024This vulnerability allows authenticated remote attackers to execute arbitrary operating system commands on Vonets industrial WiFi bridge devices. Atta...
Aug 12, 2024This vulnerability allows remote attackers to execute arbitrary commands on TRENDnet TEW-814DAP wireless access points by injecting malicious commands...
Jun 14, 2024This CVE describes a command injection vulnerability in the Dextaz Ping WordPress plugin that allows attackers to execute arbitrary commands on the se...
Jun 4, 2024CVE-2024-32025 is a command injection vulnerability in Kohya_ss's group_images_gui.py that allows attackers to execute arbitrary commands on the syste...
Apr 16, 2024CVE-2024-32027 is a command injection vulnerability in Kohya_ss GUI for Stable Diffusion trainers. Attackers can execute arbitrary commands on affecte...
Apr 16, 2024CVE-2024-32022 is a command injection vulnerability in Kohya_ss, a GUI for Stable Diffusion trainers. Attackers can execute arbitrary commands on affe...
Apr 16, 2024This is a command injection vulnerability in Ivanti Connect Secure and Policy Secure gateways that allows authenticated administrators to execute arbi...
Jan 12, 2024This vulnerability allows authenticated privileged remote attackers to execute arbitrary code with root privileges on affected RUGGEDCOM ROX devices. ...
Jul 11, 2023This vulnerability allows authenticated privileged remote attackers to execute arbitrary code with root privileges on affected RUGGEDCOM ROX devices. ...
Jul 11, 2023This vulnerability allows authenticated privileged remote attackers to execute arbitrary code with root privileges on affected Siemens RUGGEDCOM ROX d...
Jul 11, 2023This vulnerability allows authenticated attackers to create alerts that trigger stored cross-site scripting (XSS) attacks, which can lead to remote co...
Jul 10, 2023This vulnerability allows authenticated UniFi application administrators to execute arbitrary commands on the host system during backup restoration. I...
Jul 1, 2023This command injection vulnerability in Trend Micro ServerProtect for Linux 3.0 allows authenticated attackers with admin/root console access to execu...
Sep 15, 2020This vulnerability allows a Backup Administrator with legitimate credentials to execute arbitrary code as the postgres user by sending a malicious pas...
Jan 8, 2026This vulnerability allows authenticated Backup Operators to execute arbitrary code as the postgres user by sending malicious interval or order paramet...
Jan 8, 2026This CVE describes a remote code execution vulnerability in the parisneo/lollms-webui application. Attackers can exploit insufficient path sanitizatio...
May 16, 2024CVE-2024-29385 is an unauthenticated remote code execution vulnerability in D-Link DIR-845L routers. Attackers can exploit the soapcgi_main function i...
Mar 22, 2024This CVE describes an OS command injection vulnerability in multiple QNAP operating system versions that allows authenticated users to execute arbitra...
Feb 2, 2024A command injection vulnerability in the Motorola MR2600 router's 'SaveStaticRouteIPv6Params' parameter allows authenticated remote attackers to execu...
Jan 26, 2024A command injection vulnerability in the Motorola MR2600 router's SaveSysLogParams parameter allows authenticated remote attackers to execute arbitrar...
Jan 26, 2024This OS command injection vulnerability in QNAP operating systems allows attackers to execute arbitrary commands on affected devices via network reque...
Nov 3, 2023CVE-2026-21516 is a command injection vulnerability in GitHub Copilot that allows unauthorized attackers to execute arbitrary code over a network. Thi...
Feb 10, 2026Super-linter GitHub Action versions 6.0.0 to 8.3.0 are vulnerable to command injection via specially crafted filenames containing shell command substi...
Feb 9, 2026OpenProject versions before 16.6.6 and 17.0.2 have a command injection vulnerability that allows authenticated users with repository browsing permissi...
Jan 28, 2026This CVE describes a remote command injection vulnerability in Sangfor Operation and Maintenance Management System's SSH Protocol Handler. Attackers c...
Jan 22, 2026This vulnerability allows attackers within Wi-Fi range to execute arbitrary code on affected Ubiquiti airMAX devices by exploiting a flaw in the wirel...
Jan 8, 2026About Command Injection (CWE-77)
The product constructs all or part of a command using externally-influenced input, but does not neutralize special elements that could modify the intended command.
Our database tracks 1,157 CVEs classified as CWE-77, with 445 rated critical and 490 rated high severity. The average CVSS score for Command Injection vulnerabilities is 8.3.
External reference: View CWE-77 on MITRE CWE →
Monitor Command Injection Vulnerabilities
Get alerted when new Command Injection CVEs affect your infrastructure.
Start Monitoring Free