CWE-78 · OS Command Injection
6046 CVEs classified under CWE-78 (OS Command Injection). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-56415 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attac… |
CVE-2026-56413 | Critical | 10.0 | 2026-06-30 | Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts… |
CVE-2026-49869 | Critical | 10.0 | 2026-06-26 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("… |
CVE-2026-49261 | Critical | 10.0 | 2026-06-11 | MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through… |
CVE-2026-10520 | Critical | 10.0 | 2026-06-09 | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-le… |
CVE-2026-45087 | Critical | 10.0 | 2026-05-27 | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server)… |
CVE-2026-34234 | Critical | 10.0 | 2026-05-19 | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerabl… |
CVE-2026-41553 | Critical | 10.0 | 2026-05-15 | PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthe… |
CVE-2026-30302 | Critical | 10.0 | 2026-03-27 | The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The… |
CVE-2026-33478 | Critical | 10.0 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to all… |
CVE-2026-28409 | Critical | 10.0 | 2026-02-27 | WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA applicatio… |
CVE-2021-35402 | Critical | 10.0 | 2026-02-20 | PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for sate… |
CVE-2024-58338 | Critical | 10.0 | 2025-12-30 | Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute comm… |
CVE-2025-63414 | Critical | 10.0 | 2025-12-16 | A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By… |
CVE-2025-64128 | Critical | 10.0 | 2025-11-26 | An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, wh… |
CVE-2025-64127 | Critical | 10.0 | 2025-11-26 | An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incor… |
CVE-2025-64126 | Critical | 10.0 | 2025-11-26 | An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying… |
CVE-2025-10230 | Critical | 10.0 | 2025-11-07 | A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or esca… |
CVE-2025-9588 | Critical | 10.0 | 2025-09-23 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allo… |
CVE-2025-5243 | Critical | 10.0 | 2025-07-24 | Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SM… |