CWE-78: OS Command Injection
The product constructs all or part of an OS command using externally-influenced input, but does not neutralize special elements that could modify the intended OS command.
Yearly Trend
Top Affected Vendors
All OS Command Injection CVEs (1,726)
This vulnerability allows authenticated attackers with admin console access to execute arbitrary operating system commands on Magento servers via the ...
Feb 11, 2021This CVE-2020-14324 is an authenticated OS command injection vulnerability in Red Hat CloudForms that allows attackers to execute arbitrary commands o...
Aug 11, 2020CVE-2026-23520 is a command injection vulnerability in Arcane's docker management platform that allows authenticated users to execute arbitrary shell ...
Jan 15, 2026This CVE describes an OS command injection vulnerability in the Station Launcher App of the 3DEXPERIENCE platform. Attackers can execute arbitrary cod...
Oct 13, 2025CVE-2025-48703 allows unauthenticated attackers to execute arbitrary commands on CWP (Control Web Panel) servers by injecting shell metacharacters int...
Sep 19, 2025This vulnerability allows remote command injection in a web application, enabling attackers to execute arbitrary operating system commands with web se...
Jul 21, 2025This CVE allows remote attackers to execute arbitrary operating system commands on servers running vulnerable versions of the VideoWhisper Live Stream...
Apr 3, 2024FreeScout versions before 1.8.128 contain an OS command injection vulnerability in the tools.php file that allows authenticated attackers with the App...
Mar 22, 2024This OS command injection vulnerability in Brivo ACS100 and ACS300 access control systems allows attackers to execute arbitrary commands on the device...
Feb 19, 2024This vulnerability allows authenticated attackers on the same network segment as CoreTec 4 systems to execute arbitrary shell commands through the web...
Jun 28, 2023This vulnerability in Nextcloud server allows non-admin users to create workflows that should be restricted to administrators. Since some workflows ca...
Mar 30, 2023CVE-2021-23732 is a command injection vulnerability in docker-cli-js package that allows attackers to execute arbitrary operating system commands on t...
Nov 22, 2021This CVE describes a command injection vulnerability in Binardat 10G08-0800GSM network switch firmware that allows authenticated attackers to execute ...
Feb 24, 2026This vulnerability allows arbitrary command injection in yt-dlp when using the --netrc-cmd option with maliciously crafted URLs. Attackers can execute...
Feb 24, 2026This CVE describes an OS command injection vulnerability in TOTOLINK X6000R routers. Authenticated attackers can execute arbitrary shell commands by e...
Feb 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary commands on Nagios Host installations through command injection in the m...
Feb 20, 2026OpenClaw versions 2026.1.8 through 2026.2.13 have a command injection vulnerability in a developer script that processes git commit metadata. When mai...
Feb 19, 2026This CVE describes a command injection vulnerability in Tenable Security Center that allows authenticated remote attackers to execute arbitrary comman...
Feb 17, 2026This vulnerability in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code on the server by manipulating the JDBC configuration URL parameter...
Feb 17, 2026FileZen contains an OS command injection vulnerability that allows authenticated users to execute arbitrary operating system commands when the virus c...
Feb 13, 2026This vulnerability allows authenticated users of Pacom Unison Client 5.13.1 to inject malicious scripts into Report Templates. When specific script co...
Feb 11, 2026This CVE describes an OS command injection vulnerability in Tenda G300-F router firmware that allows remote attackers to execute arbitrary commands on...
Feb 7, 2026OpenSTAManager versions 2.9.8 and earlier contain a critical OS command injection vulnerability in the P7M file decoding functionality. Authenticated ...
Feb 6, 2026This CVE describes a remote code execution vulnerability in Group-Office where an authenticated attacker can execute arbitrary system commands on the ...
Feb 4, 2026CVE-2026-24887 is a command injection vulnerability in Claude Code that allows bypassing confirmation prompts to execute arbitrary commands via the fi...
Feb 3, 2026OpenClaw (formerly Clawdbot) versions prior to 2026.1.29 contain a command injection vulnerability in the Docker sandbox execution mechanism. Authenti...
Feb 2, 2026CVE-2026-24788 is an OS command injection vulnerability in RaspAP raspap-webgui that allows authenticated users to execute arbitrary commands on the u...
Feb 2, 2026CVE-2020-37032 is a remote code execution vulnerability in Wing FTP Server's Lua-based web console that allows authenticated attackers to execute arbi...
Jan 30, 2026CVE-2026-1428 is an OS command injection vulnerability in WellChoose's Single Sign-On Portal System that allows authenticated remote attackers to exec...
Jan 26, 2026This vulnerability allows authenticated remote attackers to execute arbitrary operating system commands on servers running WellChoose's Single Sign-On...
Jan 26, 2026CVE-2021-47903 is an authenticated command injection vulnerability in LiteSpeed Web Server Enterprise that allows authenticated administrators to exec...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through the web in...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through command in...
Jan 23, 2026CVE-2026-0785 is a command injection vulnerability in ALGO 8180 IP Audio Alerter devices that allows authenticated remote attackers to execute arbitra...
Jan 23, 2026CVE-2026-0786 is a command injection vulnerability in ALGO 8180 IP Audio Alerter devices that allows authenticated remote attackers to execute arbitra...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices via command inject...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through the web in...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through the web in...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through the web in...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices through the web in...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on ALGO 8180 IP Audio Alerter devices via command inject...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary system commands on Open WebUI installations. Attackers can inject malici...
Jan 23, 2026This vulnerability allows remote attackers to execute arbitrary commands on systems running vulnerable versions of MCP Manager for Claude Desktop. Att...
Jan 23, 2026Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system co...
Jan 16, 2026An OS command injection vulnerability in TOA Corporation TRIFORA 3 series network cameras allows authenticated users with monitoring privileges or hig...
Jan 16, 2026Merit LILIN IP cameras have an OS command injection vulnerability that allows authenticated remote attackers to execute arbitrary commands on the devi...
Jan 12, 2026This vulnerability allows authenticated remote attackers to execute arbitrary operating system commands on affected Merit LILIN DVR/NVR devices. Attac...
Jan 12, 2026This vulnerability allows low-privileged users in Coolify to inject malicious Docker Compose directives during project creation or updates. By mountin...
Jan 5, 2026This OS command injection vulnerability in Nuvation Energy Multi-Stack Controller allows attackers to execute arbitrary operating system commands on a...
Jan 3, 2026This OS command injection vulnerability in Nuvation Energy Multi-Stack Controller allows attackers to execute arbitrary operating system commands on a...
Jan 2, 2026About OS Command Injection (CWE-78)
The product constructs all or part of an OS command using externally-influenced input, but does not neutralize special elements that could modify the intended OS command.
Our database tracks 1,726 CVEs classified as CWE-78, with 662 rated critical and 894 rated high severity. The average CVSS score for OS Command Injection vulnerabilities is 8.6.
External reference: View CWE-78 on MITRE CWE →
Monitor OS Command Injection Vulnerabilities
Get alerted when new OS Command Injection CVEs affect your infrastructure.
Start Monitoring Free