Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) — Vulnerability Class 1201

1201 vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)). AI Chinese analysis included.

CWE-77 represents a critical input validation weakness where software constructs commands using untrusted data without properly sanitizing special characters. Attackers typically exploit this by injecting malicious payloads, such as semicolons or pipe operators, into user-supplied fields to alter the intended command structure. This allows them to execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or denial of service. To prevent such vulnerabilities, developers must strictly validate and sanitize all external inputs, ensuring that only expected data formats are processed. Utilizing parameterized APIs or safe command execution libraries instead of direct string concatenation significantly reduces risk. Additionally, implementing the principle of least privilege for application processes limits the potential impact of successful injection attempts, thereby enhancing overall system security against command injection attacks.

MITRE CWE Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they w…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
ImplementationIf possible, ensure that all external commands called from the program are statically created.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
OperationRun time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
System ConfigurationAssign permissions that prevent the user from accessing/opening privileged files.
Examples (2)
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the …
prompt = "Explain the difference between {} and {}".format(arg1, arg2) result = invokeChatbot(prompt) resultHTML = encodeForHTML(result) print resultHTML
Bad · Python
Explain the difference between CWE-77 and CWE-78
Informative
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-7718 Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection — WA300 6.3 Medium2026-05-04
CVE-2026-7705 JD Cloud JDCOS Service jdcap set_iptv_info command injection — JDCOS 6.3 Medium2026-05-03
CVE-2026-7692 Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection — WL-WN570HA1 6.3 Medium2026-05-03
CVE-2026-7691 Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection — WL-WN570HA1 6.3 Medium2026-05-03
CVE-2026-7690 Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection — WL-WN570HA1 6.3 Medium2026-05-03
CVE-2026-7687 langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection — langflow 6.3 Medium2026-05-03
CVE-2026-7683 Edimax BR-6428nC Web setWAN command injection — BR-6428nC 6.3 Medium2026-05-03
CVE-2026-7682 Edimax BR-6208AC L2TP Mode setWAN command injection — BR-6208AC 6.3 Medium2026-05-03
CVE-2026-7629 kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command injection — awesome-cursor-mpc-server 6.3 Medium2026-05-02
CVE-2026-7628 crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection — mcp-code-review-server 6.3 Medium2026-05-02
CVE-2026-7548 Totolink NR1800X cstecgi.cgi sub_41A68C command injection — NR1800X 8.8 High2026-05-01
CVE-2026-7469 Tenda 4G300 DelFil sub_425A28 command injection — 4G300 6.3 Medium2026-04-30
CVE-2026-26015 Unauthenticated RCE in DocsGPT MCP STDIO Configuration — DocsGPT 8.8AIHighAI2026-04-29
CVE-2026-7316 eiliyaabedini aider-mcp code_with_ai aider_mcp.py command injection — aider-mcp 7.3 High2026-04-28
CVE-2026-7215 egtai gmx-vmd-mcp VMD Launch mcp_server.py launch_vmd_gui_tool command injection — gmx-vmd-mcp 7.3 High2026-04-28
CVE-2026-7211 dvladimirov MCP Git Search API mcp_server.py GitSearchRequest command injection — MCP 7.3 High2026-04-28
CVE-2026-7160 Tenda HG3 formTracert command injection — HG3 8.8 High2026-04-27
CVE-2026-7157 disler aider-mcp-server aider_ai_code server.py command injection — aider-mcp-server 7.3 High2026-04-27
CVE-2026-7102 Tenda F456 httpd WriteFacMac FromWriteFacMac command injection — F456 6.3 Medium2026-04-27
CVE-2026-7067 D-Link DIR-822 udhcpd DHCP Service dhcpd.c system command injection — DIR-822 7.3 High2026-04-26
CVE-2026-7058 666ghj MiroFish Inter-Process Communication simulation_ipc.py SimulationIPCClient.send_command command injection — MiroFish 7.3 High2026-04-26
CVE-2026-7039 tufantunc ssh-mcp index.ts shell.write command injection — ssh-mcp 7.8 High2026-04-26
CVE-2026-6989 Tenda F453 Telnet Service telnet TendaTelnet command injection — F453 6.3 Medium2026-04-25
CVE-2026-6987 PicoClaw Web Launcher Management Plane restart command injection — PicoClaw 7.3 High2026-04-25
CVE-2026-6980 Divyanshu-hash GitPilot-MCP main.py repo_path command injection — GitPilot-MCP 7.3 High2026-04-25
CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability — Flowise 9.6AICriticalAI2026-04-23
CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin — AVideo 8.8AIHighAI2026-04-21
CVE-2026-6799 Comfast CF-N1-S Endpoint mbox-config command injection — CF-N1-S 6.3 Medium2026-04-21
CVE-2026-39866 Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml — lawnchair 8.8AIHighAI2026-04-21
CVE-2026-4048 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF — LoadMaster 8.4 High2026-04-20

Vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) represent 1201 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.