Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) — Vulnerability Class 1185

1185 vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)). AI Chinese analysis included.

CWE-77 represents a critical input validation weakness where software constructs commands using untrusted data without properly sanitizing special characters. Attackers typically exploit this by injecting malicious payloads, such as semicolons or pipe operators, into user-supplied fields to alter the intended command structure. This allows them to execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or denial of service. To prevent such vulnerabilities, developers must strictly validate and sanitize all external inputs, ensuring that only expected data formats are processed. Utilizing parameterized APIs or safe command execution libraries instead of direct string concatenation significantly reduces risk. Additionally, implementing the principle of least privilege for application processes limits the potential impact of successful injection attempts, thereby enhancing overall system security against command injection attacks.

MITRE CWE Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they w…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
ImplementationIf possible, ensure that all external commands called from the program are statically created.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
OperationRun time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
System ConfigurationAssign permissions that prevent the user from accessing/opening privileged files.
Examples (2)
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the …
prompt = "Explain the difference between {} and {}".format(arg1, arg2) result = invokeChatbot(prompt) resultHTML = encodeForHTML(result) print resultHTML
Bad · Python
Explain the difference between CWE-77 and CWE-78
Informative
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-20163 Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise — Splunk Enterprise 8.0 High2026-03-11
CVE-2026-32063 OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation — openclaw 7.1 High2026-03-11
CVE-2026-3943 H3C ACG1000-AK230 aaa_portal_auth_local_submit command injection — ACG1000-AK230 7.3 High2026-03-11
CVE-2026-3854 Remote code execution via git push option injection in GitHub Enterprise Server — Enterprise Server 8.8AIHighAI2026-03-10
CVE-2026-3798 Comfast CF-AC100 Request Path mbox-config sub_44AC14 command injection — CF-AC100 4.7 Medium2026-03-09
CVE-2026-3704 Wavlink NU516U1 Incomplete Fix CVE-2025-10959 firewall.cgi sub_405B2C command injection — NU516U1 4.7 Medium2026-03-08
CVE-2026-3680 RyuzakiShinji biome-mcp-server biome-mcp-server.ts command injection — biome-mcp-server 6.3 Medium2026-03-07
CVE-2026-3662 Wavlink WL-NU516U1 adm.cgi usb_p910 command injection — WL-NU516U1 4.7 Medium2026-03-07
CVE-2026-3661 Wavlink WL-NU516U1 adm.cgi ota_new_upgrade command injection — WL-NU516U1 4.7 Medium2026-03-07
CVE-2026-3612 Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection — WL-NU516U1 7.2 High2026-03-06
CVE-2026-3484 PhialsBasement nmap-mcp-server Nmap CLI index.ts child_process.exec command injection — nmap-mcp-server 6.3 Medium2026-03-03
CVE-2025-33181 IBM MQ 安全漏洞 — Cumulus Linux GA 7.3 High2026-02-24
CVE-2025-33180 NVIDIA Cumulus Linux和NVIDIA NVOS 命令注入漏洞 — Cumulus Linux GA 8.0 High2026-02-24
CVE-2026-3066 HummerRisk Cloud Compliance Scanning PlatformUtils.java fixedCommand command injection — HummerRisk 6.3 Medium2026-02-24
CVE-2026-3065 HummerRisk Cloud Task Dry-run CloudTaskService.java CommandUtils.commonExecCmdWithResult command injection — HummerRisk 6.3 Medium2026-02-24
CVE-2026-3064 HummerRisk Cloud Task Scheduler ResourceCreateService.java command injection — HummerRisk 6.3 Medium2026-02-24
CVE-2026-2956 qinming99 dst-admin restore revertBackup command injection — dst-admin 6.3 Medium2026-02-22
CVE-2026-26093 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds — opds 9.8AICriticalAI2026-02-20
CVE-2026-2333 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds — opds 9.8AICriticalAI2026-02-20
CVE-2026-20761 EnOcean SmartServer IoT Command Injection — SmartServer IoT 8.1 High2026-02-20
CVE-2026-2824 Comfast CF-E7 webmggnt mbox-config sub_441CF4 command injection — CF-E7 6.3 Medium2026-02-20
CVE-2026-2823 Comfast CF-E7 webmggnt mbox-config sub_41ACCC command injection — CF-E7 6.3 Medium2026-02-20
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts — openclaw 7.6 -2026-02-19
CVE-2025-33249 NVIDIA Nemo Framework 命令注入漏洞 — NeMo Framework 7.8 High2026-02-18
CVE-2025-33246 NVIDIA Nemo Framework 命令注入漏洞 — NeMo Framework 7.8 High2026-02-18
CVE-2026-22284 Dell SmartFabric OS10 Software 命令注入漏洞 — SmartFabric OS10 Software 6.6 Medium2026-02-17
CVE-2026-2615 Wavlink WL-NU516U1 firewall.cgi singlePortForwardDelete command injection — WL-NU516U1 7.2 High2026-02-17
CVE-2026-2548 WAYOS FBM-220G rc sub_40F820 command injection — FBM-220G 6.3 Medium2026-02-16
CVE-2026-2537 Comfast CF-E4 HTTP POST Request mbox-config command injection — CF-E4 4.7 Medium2026-02-16
CVE-2026-2535 Comfast CF-N1 V2 mbox-config sub_44AB9C command injection — CF-N1 V2 6.3 Medium2026-02-16

Vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) represent 1185 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.