Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) — Vulnerability Class 1259

1259 vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)). AI Chinese analysis included.

CWE-77 represents a critical input validation weakness where software constructs commands using untrusted data without properly sanitizing special characters. Attackers typically exploit this by injecting malicious payloads, such as semicolons or pipe operators, into user-supplied fields to alter the intended command structure. This allows them to execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or denial of service. To prevent such vulnerabilities, developers must strictly validate and sanitize all external inputs, ensuring that only expected data formats are processed. Utilizing parameterized APIs or safe command execution libraries instead of direct string concatenation significantly reduces risk. Additionally, implementing the principle of least privilege for application processes limits the potential impact of successful injection attempts, thereby enhancing overall system security against command injection attacks.

MITRE CWE Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they w…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
ImplementationIf possible, ensure that all external commands called from the program are statically created.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
OperationRun time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
System ConfigurationAssign permissions that prevent the user from accessing/opening privileged files.
Examples (2)
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the …
prompt = "Explain the difference between {} and {}".format(arg1, arg2) result = invokeChatbot(prompt) resultHTML = encodeForHTML(result) print resultHTML
Bad · Python
Explain the difference between CWE-77 and CWE-78
Informative
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write — openproject 7.5AIHighAI2026-01-28
CVE-2025-14756 Authenticated Command Injection Vulnerability in Archer MR600 — Archer MR600 v5.0 8.8AIHighAI2026-01-26
CVE-2016-15057 Apache Continuum: Command injection leading to RCE — Apache Continuum 8.8AIHighAI2026-01-26
CVE-2026-1419 D-Link DCS700l Web Form setDayNightMode command injection — DCS700l 4.7 Medium2026-01-26
CVE-2026-1414 Sangfor Operation and Maintenance Security Management System HTTP POST Request get_Information getInformation command injection — Operation and Maintenance Security Management System 6.3 Medium2026-01-26
CVE-2026-1413 Sangfor Operation and Maintenance Security Management System HTTP POST Request port_validate portValidate command injection — Operation and Maintenance Security Management System 6.3 Medium2026-01-26
CVE-2026-1412 Sangfor Operation and Maintenance Security Management System HTTP POST Request get_clip_img command injection — Operation and Maintenance Security Management System 7.3 High2026-01-26
CVE-2026-24132 Orval Mock Generation Code Injection via const — orval 8.1 -2026-01-22
CVE-2026-21520 Copilot Studio Information Disclosure Vulnerability — Microsoft Copilot Studio 7.5 High2026-01-22
CVE-2026-1327 Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection — NR1800X 6.3 Medium2026-01-22
CVE-2026-1326 Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection — NR1800X 6.3 Medium2026-01-22
CVE-2025-15367 POP3 command injection in user-controlled commands — CPython 9.8AICriticalAI2026-01-20
CVE-2025-15366 IMAP command injection in user-controlled commands — CPython 9.8AICriticalAI2026-01-20
CVE-2026-23947 Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation — orval 10.0AICriticalAI2026-01-20
CVE-2026-1192 Tosei Online Store Management System ネット店舗管理システム imode_alldata.php command injection — Online Store Management System ネット店舗管理システム 7.3 High2026-01-19
CVE-2026-1150 Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection — LR350 6.3 Medium2026-01-19
CVE-2026-1149 Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection — LR350 6.3 Medium2026-01-19
CVE-2026-1125 D-Link DIR-823X set_wifidog_settings sub_412E7C command injection — DIR-823X 7.3 High2026-01-18
CVE-2026-1066 kalcaddle kodbox Compression zip command injection — kodbox 6.3 Medium2026-01-17
CVE-2026-1064 bastillion-io Bastillion System Management SystemKtrl.java command injection — Bastillion 4.7 Medium2026-01-17
CVE-2026-1063 bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection — Bastillion 4.7 Medium2026-01-17
CVE-2025-60021 Apache bRPC: Remote command injection vulnerability in heap builtin service — Apache bRPC 9.8 -2026-01-16
CVE-2026-0975 DIAView - Command Injection Vulnerability — DIAView 7.8 High2026-01-16
CVE-2026-22864 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass — deno 8.1 High2026-01-15
CVE-2026-22755 Legacy Vivotek Camera Firmware Command Injection in upload_map.cgi — Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 9.8AICriticalAI2026-01-13
CVE-2026-22785 orval MCP client is vulnerable to a code injection attack. — orval 8.2AIHighAI2026-01-12
CVE-2026-22688 WeKnora has Command Injection in MCP stdio test — WeKnora 10.0 Critical2026-01-10
CVE-2026-22601 OpenProject is Vulnerable to Code Execution in E-Mail function — openproject 7.2 -2026-01-10
CVE-2026-0732 D-Link DI-8200G upgrade_filter.asp command injection — DI-8200G 6.3 Medium2026-01-08
CVE-2026-0641 TOTOLINK WA300 cstecgi.cgi sub_401510 command injection — WA300 6.3 Medium2026-01-06

Vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) represent 1259 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.