CWE-77 · Command Injection

3577 CVEs classified under CWE-77 (Command Injection). Browse by severity and year.

Top CVEs for CWE-77
CVESeverityScorePublishedSummary
CVE-2026-23652Critical10.02026-05-22Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code ov…
CVE-2025-59818Critical10.02026-02-04This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file.
CVE-2025-64093Critical10.02026-01-09Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
CVE-2025-64090Critical10.02026-01-09This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
CVE-2025-61492Critical10.02026-01-07A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted…
CVE-2025-10035Critical10.02025-09-18A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deseriali…
CVE-2024-48841Critical10.02025-01-27Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older.
CVE-2024-39761Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT…
CVE-2024-39760Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT…
CVE-2024-39759Critical10.02025-01-14Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT…
CVE-2024-34166Critical10.02025-01-14An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted…
CVE-2024-20418Critical10.02024-11-06A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Po…
CVE-2024-45066Critical10.02024-09-25A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands.
CVE-2024-43693Critical10.02024-09-25A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands.
CVE-2024-29895Critical10.02024-05-14Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated u…
CVE-2024-32766Critical10.02024-04-26An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to…
CVE-2024-3400Critical10.02024-04-12A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS…
CVE-2024-28354Critical10.02024-03-15There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post reque…
CVE-2021-26729Critical10.02022-10-24Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute…
CVE-2021-26728Critical10.02022-10-24Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary cod…