CWE-78: OS Command Injection — known CVE vulnerabilities
CVEs classified under CWE-78 (OS Command Injection), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-56004 — CVSS 10.0 (critical): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to…
CVE-2026-56415 — CVSS 10.0 (critical): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without…
CVE-2026-56413 — CVSS 10.0 (critical): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by…
CVE-2026-49869 — CVSS 10.0 (critical): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses…
CVE-2026-49261 — CVSS 10.0 (critical): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through…
CVE-2026-34234 — CVSS 10.0 (critical): CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer…
CVE-2026-41553 — CVSS 10.0 (critical): PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter…
CVE-2026-30302 — CVSS 10.0 (critical): The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security…
CVE-2026-33478 — CVSS 10.0 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin…
CVE-2026-28409 — CVSS 10.0 (critical): WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in…
CVE-2021-35402 — CVSS 10.0 (critical): PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip…
CVE-2024-58338 — CVSS 10.0 (critical): Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through…
CVE-2025-64128 — CVSS 10.0 (critical): An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient…
CVE-2025-64127 — CVSS 10.0 (critical): An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters…
CVE-2025-64126 — CVSS 10.0 (critical): An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input…
CVE-2025-10230 — CVSS 10.0 (critical): A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without…
CVE-2018-25118: GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via…
CVE-2025-9588 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving…
CVE-2009-20011: ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 are vulnerable to remote command execution due to…
CVE-2025-34160: AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The…
CVE-2024-13985: A command injection vulnerability in Dahua EIMS versions prior to 2240008 allows unauthenticated remote attackers to execute arbitrary…
CVE-2011-10017: Snort Report versions < 1.3.2 contains a remote command execution vulnerability in the nmap.php and nbtscan.php scripts. These scripts fail…
CVE-2014-125124: An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web…
CVE-2025-5243 — CVSS 10.0 (critical): Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')…
CVE-2025-34112: An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual…
CVE-2025-3499 — CVSS 10.0 (critical): The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS…
CVE-2025-34073: An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute…
CVE-2025-34054: An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without…
CVE-2025-34041: An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform…
CVE-2025-34037: An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi…
CVE-2025-34030: An OS command injection vulnerability exists in sar2html version 3.2.2 and prior via the plot parameter in index.php. The application fails…
CVE-2025-26389 — CVSS 10.0 (critical): A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does…
CVE-2021-47667 — CVSS 10.0 (critical): An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote…
CVE-2025-2071: A critical OS Command Injection vulnerability has been identified in the FAST LTA Silent Brick WebUI, allowing remote attackers to execute…
CVE-2025-27364 — CVSS 10.0 (critical): In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent…
CVE-2024-52034 — CVSS 10.0 (critical): An OS Command Injection vulnerability exists within myPRO Manager. A parameter within a command can be exploited by an unauthenticated…
CVE-2024-47407 — CVSS 10.0 (critical): A parameter within a command does not properly validate input within myPRO Manager which could be exploited by an unauthenticated remote…
CVE-2024-51568 — CVSS 10.0 (critical): CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There…
CVE-2024-47901 — CVSS 10.0 (critical): A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All…
CVE-2023-3939 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in ZkTeco-based OEM devices allows…
CVE-2024-24576 — CVSS 10.0 (critical): Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not…
CVE-2024-2389 — CVSS 10.0 (critical): In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An…
CVE-2024-30247 — CVSS 10.0 (critical): NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection…
CVE-2024-23109 — CVSS 10.0 (critical): An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to…