Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-78 (OS命令中使用的特殊元素转义处理不恰当(OS命令注入)) — Vulnerability Class 2740

2740 vulnerabilities classified as CWE-78 (OS命令中使用的特殊元素转义处理不恰当(OS命令注入)). AI Chinese analysis included.

CWE-78 represents a critical input validation weakness where software constructs operating system commands using untrusted external data without proper sanitization. Attackers typically exploit this by injecting malicious shell metacharacters, such as semicolons or pipes, into user-supplied fields like form inputs or URL parameters. This manipulation allows the attacker to alter the intended command structure, enabling arbitrary code execution, data exfiltration, or complete system compromise. To mitigate this risk, developers must strictly avoid passing user input directly to OS command interpreters. Instead, they should utilize safe, language-specific APIs that do not invoke the shell, or implement rigorous input validation and parameterization techniques. By treating all external data as inherently untrusted and applying strict allow-list filtering, organizations can effectively neutralize special elements and prevent command injection vulnerabilities.

MITRE CWE Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program afte…
Common Consequences (1)
Confidentiality, Integrity, Availability, Non-RepudiationExecute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories, Modify Files or Directories, Read Application Data, Modify Application Data, Hide Activities
Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Architecture and DesignFor any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Examples (2)
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"]; $command = 'ls -l /home/' . $userName; system($command);
Bad · PHP
;rm -rf /
Attack
The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.
int main(int argc, char** argv) { char cmd[CMD_MAX] = "/usr/bin/cat "; strcat(cmd, argv[1]); system(cmd); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-6132 Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6131 Totolink A7100RU CGI cstecgi.cgi setTracerouteCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6130 chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection — chatbox 7.3 High2026-04-12
CVE-2026-6116 Totolink A7100RU CGI cstecgi.cgi setDiagnosisCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6115 Totolink A7100RU CGI cstecgi.cgi setAppCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6114 Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6113 Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6112 Totolink A7100RU CGI cstecgi.cgi setRadvdCfg os command injection — A7100RU 9.8 Critical2026-04-12
CVE-2026-6108 1Panel-dev MaxKB Model Context Protocol Node base_mcp_node.py execute os command injection — MaxKB 6.3 Medium2026-04-12
CVE-2026-4157 ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability — Home Flex 8.8AIHighAI2026-04-11
CVE-2026-5059 aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability — aws-mcp-server 9.8AICriticalAI2026-04-11
CVE-2026-5058 aws-mcp-server Command Injection Remote Code Execution Vulnerability — aws-mcp-server 9.8AICriticalAI2026-04-11
CVE-2026-32892 OS Command Injection in Chamilo LMS 1.11.36 — chamilo-lms 9.1 Critical2026-04-10
CVE-2026-6029 Totolink A7100RU CGI cstecgi.cgi setVpnAccountCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-6028 Totolink A7100RU CGI cstecgi.cgi setPptpServerCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-6027 Totolink A7100RU CGI cstecgi.cgi setUrlFilterRules os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-6026 Totolink A7100RU CGI cstecgi.cgi setPortalConfWeChat os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-6025 Totolink A7100RU CGI cstecgi.cgi setSyslogCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-5997 Totolink A7100RU CGI cstecgi.cgi setLoginPasswordCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-5996 Totolink A7100RU CGI cstecgi.cgi setAdvancedInfoShow os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-5995 Totolink A7100RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-5994 Totolink A7100RU CGI cstecgi.cgi setTelnetCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-5993 Totolink A7100RU CGI cstecgi.cgi setWiFiGuestCfg os command injection — A7100RU 9.8 Critical2026-04-10
CVE-2026-33791 Junos OS and Junos OS Evolved: Execution of crafted CLI commands allows for arbitrary shell injection as root — Junos OS 6.7 Medium2026-04-09
CVE-2026-40111 PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) — PraisonAIAgents 7.8AIHighAI2026-04-09
CVE-2026-5978 Totolink A7100RU CGI cstecgi.cgi setWiFiAclRules os command injection — A7100RU 9.8 Critical2026-04-09
CVE-2026-5977 Totolink A7100RU CGI cstecgi.cgi setWiFiBasicCfg os command injection — A7100RU 9.8 Critical2026-04-09
CVE-2026-5976 Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection — A7100RU 9.8 Critical2026-04-09
CVE-2026-5975 Totolink A7100RU CGI cstecgi.cgi setDmzCfg os command injection — A7100RU 9.8 Critical2026-04-09
CVE-2026-40088 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai — PraisonAI 9.7 Critical2026-04-09

Vulnerabilities classified as CWE-78 (OS命令中使用的特殊元素转义处理不恰当(OS命令注入)) represent 2740 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.