CWE-77 · Command Injection
3577 CVEs classified under CWE-77 (Command Injection). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-23652 | Critical | 10.0 | 2026-05-22 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code ov… |
CVE-2025-59818 | Critical | 10.0 | 2026-02-04 | This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. |
CVE-2025-64093 | Critical | 10.0 | 2026-01-09 | Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. |
CVE-2025-64090 | Critical | 10.0 | 2026-01-09 | This vulnerability allows authenticated attackers to execute commands via the hostname of the device. |
CVE-2025-61492 | Critical | 10.0 | 2026-01-07 | A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted… |
CVE-2025-10035 | Critical | 10.0 | 2025-09-18 | A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deseriali… |
CVE-2024-48841 | Critical | 10.0 | 2025-01-27 | Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older. |
CVE-2024-39761 | Critical | 10.0 | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT… |
CVE-2024-39760 | Critical | 10.0 | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT… |
CVE-2024-39759 | Critical | 10.0 | 2025-01-14 | Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTT… |
CVE-2024-34166 | Critical | 10.0 | 2025-01-14 | An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted… |
CVE-2024-20418 | Critical | 10.0 | 2024-11-06 | A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Po… |
CVE-2024-45066 | Critical | 10.0 | 2024-09-25 | A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. |
CVE-2024-43693 | Critical | 10.0 | 2024-09-25 | A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. |
CVE-2024-29895 | Critical | 10.0 | 2024-05-14 | Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated u… |
CVE-2024-32766 | Critical | 10.0 | 2024-04-26 | An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to… |
CVE-2024-3400 | Critical | 10.0 | 2024-04-12 | A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS… |
CVE-2024-28354 | Critical | 10.0 | 2024-03-15 | There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post reque… |
CVE-2021-26729 | Critical | 10.0 | 2022-10-24 | Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute… |
CVE-2021-26728 | Critical | 10.0 | 2022-10-24 | Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary cod… |