High
CVE-2018-9276
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command inject…
Tag: Command Injection
All CVEs associated with "Command Injection". Page 46/48 • 5730 CVEs.
Subscribe CVEs: RSS for “Command Injection” · RSS (High+Critical only)
About “Command Injection”
A curated feed of “Command Injection”-related CVEs appears below. We currently track 5730 CVEs for this tag (all time). In the last 365 days, 1683 were published. Average CVSS is 8.2 (all time; 7.8 over 365d), and 79% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection').
In our taxonomy this topic maps to a VERY HIGH impact class. Common exploitation patterns for this weakness can lead to very high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2018-07-02
High
CVE-2018-12577
The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow authenticated blind Command Injection.
2018-06-29
Critical
CVE-2018-12465
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrar…
2018-06-26
Critical
CVE-2018-10660
An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.
2018-06-21
Critical
CVE-2018-0712
Command injection vulnerability in LDAP Server in QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20180402, QTS 4.3.4 build 20180413 and their earlier versions could allow remote attackers to run arbi…
High
CVE-2018-0313
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a…
High
CVE-2018-0306
A vulnerability in the CLI parser of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device. The vulnerability is due to insuffi…
2018-06-20
High
CVE-2018-0307
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device. The vulnerability is due to insufficient i…
High
CVE-2018-6211
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect proce…
2018-06-13
Medium
CVE-2017-3936
OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via n…
Critical
CVE-2018-12268
acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metacharacters in a username or password file, as demonstrated by injection into an smbclient command line.
2018-06-11
High
CVE-2018-6961
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on…
2018-06-08
High
CVE-2017-12078
Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.
High
CVE-2017-12075
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
Critical
CVE-2018-11229
Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via command injection in Crestron Toolbox Protoc…
2018-06-07
Critical
CVE-2017-16100
dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.
2018-06-02
High
CVE-2018-11188
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 46 of 46).
High
CVE-2018-11187
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 45 of 46).
High
CVE-2018-11186
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 44 of 46).
High
CVE-2018-11185
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46).
High
CVE-2018-11184
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46).
High
CVE-2018-11183
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 41 of 46).
High
CVE-2018-11182
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 40 of 46).
High
CVE-2018-11181
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 39 of 46).
High
CVE-2018-11180
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 38 of 46).
High
CVE-2018-11179
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 37 of 46).
High
CVE-2018-11178
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 36 of 46).
High
CVE-2018-11177
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 35 of 46).
High
CVE-2018-11176
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 34 of 46).
High
CVE-2018-11175
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46).
High
CVE-2018-11174
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46).
High
CVE-2018-11173
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 31 of 46).
High
CVE-2018-11172
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 30 of 46).
High
CVE-2018-11171
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 29 of 46).
High
CVE-2018-11170
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 28 of 46).
High
CVE-2018-11169
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46).
High
CVE-2018-11168
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 26 of 46).
High
CVE-2018-11167
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 25 of 46).
High
CVE-2018-11166
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 24 of 46).
High
CVE-2018-11165
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 23 of 46).
High
CVE-2018-11164
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 22 of 46).
High
CVE-2018-11163
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 21 of 46).
High
CVE-2018-11162
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 20 of 46).
High
CVE-2018-11161
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 19 of 46).
High
CVE-2018-11160
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 18 of 46).
High
CVE-2018-11159
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 17 of 46).
High
CVE-2018-11158
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 16 of 46).
High
CVE-2018-11157
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 15 of 46).
High
CVE-2018-11156
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46).
High
CVE-2018-11155
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 13 of 46).
High
CVE-2018-11154
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 12 of 46).
High
CVE-2018-11153
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 11 of 46).
High
CVE-2018-11152
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 10 of 46).
High
CVE-2018-11151
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 9 of 46).
High
CVE-2018-11150
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 8 of 46).
High
CVE-2018-11149
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 7 of 46).
High
CVE-2018-11148
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 6 of 46).
High
CVE-2018-11147
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46).
High
CVE-2018-11146
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 4 of 46).
High
CVE-2018-11145
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 3 of 46).
High
CVE-2018-11144
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 2 of 46).
Critical
CVE-2018-11143
Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 1 of 46).
2018-06-01
Critical
CVE-2018-3757
Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter.
Critical
CVE-2018-3746
The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.
2018-05-31
High
CVE-2018-11139
The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on th…
High
CVE-2018-11132
In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a se…
2018-05-29
Medium
CVE-2018-1242
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contains a command injection vulnerability in the Boxmgmt CLI. An authenticated malicious user with b…
Critical
CVE-2018-1235
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit…
2018-05-23
High
CVE-2018-10354
A command injection remote command execution vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary code on vulnerable installations due to a fla…
2018-05-19
Critical
CVE-2018-4924
Adobe Dreamweaver CC versions 18.0 and earlier have an OS Command Injection vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Critical
CVE-2018-4923
Adobe Connect versions 9.7 and earlier have an exploitable OS Command Injection. Successful exploitation could lead to arbitrary file deletion.
2018-05-17
Critical
CVE-2018-10730
All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to OS command injection.
High
CVE-2018-1111
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious…
Medium
CVE-2018-0324
A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, high-privileged, local attacker to perform a command injection attack. The vulnerabili…
2018-05-14
High
CVE-2017-14434
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in…
High
CVE-2017-14433
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in…
High
CVE-2017-14432
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in…
High
CVE-2017-12125
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in…
High
CVE-2017-12121
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in…
High
CVE-2017-12120
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in…
2018-05-09
Critical
CVE-2017-14481
In the MMM::Agent::Helpers::Network::send_arp function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Solaris), a specially crafted MMM protocol message can cause a shell comma…
Critical
CVE-2017-14480
In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for FreeBSD), a specially crafted MMM protocol message can cause a shell comma…
Critical
CVE-2017-14479
In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Solaris), a specially crafted MMM protocol message can cause a shell comma…
Critical
CVE-2017-14478
In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Linux), a specially crafted MMM protocol message can cause a shell command…
Critical
CVE-2017-14477
In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for FreeBSD), a specially crafted MMM protocol message can cause a shell command…
Critical
CVE-2017-14476
In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Solaris), a specially crafted MMM protocol message can cause a shell command…
Critical
CVE-2017-14475
In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Linux), a specially crafted MMM protocol message can cause a shell command i…
Critical
CVE-2017-14474
In the MMM::Agent::Helpers::_execute function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1, a specially crafted MMM protocol message can cause a shell command injection resulting…
High
CVE-2018-8866
In Vecna VGo Robot versions prior to 3.0.3.52164, an attacker on an adjacent network could perform command injection.
2018-05-08
High
CVE-2018-1239
Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968 are affected by multiple OS command injection vulnerabilities. A remote application admin user could potentially exploit t…
2018-05-04
Critical
CVE-2018-10562
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping re…
2018-05-02
High
CVE-2018-10642
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-…
2018-05-01
High
CVE-2017-17020
On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (bin…
2018-04-30
High
CVE-2018-5234
The Norton Core router prior to v237 may be susceptible to a command injection exploit. This is a type of attack in which the goal is execution of arbitrary commands on the host system via vulnerable…
2018-04-24
High
CVE-2018-3836
An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbit…
High
CVE-2017-2833
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request c…
High
CVE-2017-2832
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request c…
2018-04-18
High
CVE-2018-8735
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
2018-04-12
Critical
CVE-2014-8888
The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection iss…
2018-04-11
Critical
CVE-2017-14459
An exploitable OS Command Injection vulnerability exists in the Telnet, SSH, and console login functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware vers…
2018-04-04
Critical
CVE-2018-9285
Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900, and RT-AC3100 devices before 3.0.0.4.384_10007; RT-N18U devices before 3.0.0.4.382.39935;…
2018-04-03
High
CVE-2017-7161
An issue was discovered in certain Apple products. Safari before 11.0.2 is affected. The issue involves the "WebKit Web Inspector" component. It allows remote attackers to execute arbitrary code via…
2018-03-27
High
CVE-2018-1238
Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses s…
2018-03-15
Critical
CVE-2018-6231
A server auth command injection authentication bypass vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.3 and below could allow remote attackers to escalate privileges on v…
2018-03-08
Critical
CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and val…
Medium
CVE-2018-0221
A vulnerability in specific CLI commands for the Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection to the underlying operating system or c…
Medium
CVE-2018-0217
A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to perform a command injection atta…
Medium
CVE-2018-0214
A vulnerability in certain CLI commands of Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to execute arbitrary commands on the host operating system with the privil…
2018-03-07
High
CVE-2018-1000118
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via t…
2018-03-06
Critical
CVE-2018-6530
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous version…
2018-03-01
High
CVE-2017-9274
A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs.
High
CVE-2018-5314
Command injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway 11.0 before build 70.16, 11.1 before build 55.13, and 12.0 before build 53.13; and the NetScaler Load Balancing instance…
2018-02-23
Critical
CVE-2018-7440
An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutput function allows command injection via a $(command) approach in the gplot rootname argument. This issue exists because of an in…
2018-02-19
Critical
CVE-2018-5439
A Command Injection issue was discovered in Nortek Linear eMerge E3 series Versions V0.32-07e and prior. A remote attacker may be able to execute arbitrary code on a target machine with elevated priv…
2018-02-16
High
CVE-2017-14535
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
2018-02-14
High
CVE-2017-6230
Ruckus Networks Solo APs firmware releases R110.x or before and Ruckus Networks SZ managed APs firmware releases R5.x or before contain authenticated Root Command Injection in the web-GUI that could…
High
CVE-2017-6229
Ruckus Networks Unleashed AP firmware releases before 200.6.10.1.x and Ruckus Networks Zone Director firmware releases 10.1.0.0.x, 9.10.2.0.x, 9.12.3.0.x, 9.13.3.0.x, 10.0.1.0.x or before contain aut…
2018-02-12
High
CVE-2016-5397
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apach…
2018-02-09
Critical
CVE-2018-1000043
Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.…
Critical
CVE-2018-1000042
Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in .inc/callback.…