CWE-78 6153 CVEs MITRE definition ↗

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Overview

CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Applicable platforms

Kind Name Class Prevalence OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined
technology AI/ML Often
technology Web Server Often

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2026-55173 2026-07-16 WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a single…
CVE-2026-47751 2026-07-16 Claude Code Action is a general-purpose GitHub action that runs Claude Code on GitHub pull requests and issues. Prior to 1.0.74, because the action checked out attacker-controlled pull request head br…
CVE-2026-14371 2026-07-16 The Lenovo XClarity Integrator for Windows Admin Center plugin version 5.1.1 and below running on the WAC Gateway is vulnerable to Powershell Command Injection when establishing remote PowerShell comm…
CVE-2026-45695 2026-07-16 Kopia is a cross-platform backup tool for Windows, macOS, and Linux with fast incremental backups, client-side end-to-end encryption, compression, and data deduplication. Prior to 0.23.0, Kopia's HTTP…
CVE-2026-63305 2026-07-16 AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Atta…
CVE-2026-63304 2026-07-16 AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function interpolates unsanitized keyword parameters inside si…
CVE-2023-49900 2026-07-16 An unauthenticated remote attacker is able to perform remote code execution due to incorrectly sanitized user input in the SetParameter command.
CVE-2026-55576 2026-07-15 MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.tit…
CVE-2026-52891 2026-07-15 Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. …
CVE-2026-62312 2026-07-15 9Router is an AI router & token saver. Prior to 0.5.2, 9Router allows a remote authenticated attacker to achieve arbitrary code execution on the host operating system by combining a Host header bypass…
CVE-2026-55410 2026-07-15 NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.1.19, NocoBase @nocobase/plugin-backups restored PostgreSQL backups by inter…
CVE-2026-46339 2026-07-15 9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlugi…
CVE-2026-15895 2026-07-15 OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to…
CVE-2026-46709 2026-07-15 Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing …
CVE-2026-61438 2026-07-15 PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor._exec_inline_python() due to insufficient AST validation of workflow script steps. Attackers can create ma…
CVE-2026-48347 2026-07-14 Animate is affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the c…
CVE-2026-48345 2026-07-14 Animate is affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the c…
CVE-2026-15428 2026-07-14 An OS command injection vulnerability exists in Archer VX800v v1 due to insufficient input sanitization of the domain name parameter. An adjacent attacker who can access the relevant HTTP interface ca…
CVE-2026-15427 2026-07-14 An OS command injection vulnerability exists in the TR-069 / CWMP management interface of Archer VX1800v v1 due to insufficient input validation and sanitization of parameters, allowing crafted input …
CVE-2026-58479 2026-07-14 Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a command injection vulnerability in the optional cli_control plugin that allows unauthenticated or cross-site request forgery att…

Previous names

  • OS Command Injection (2008-04-11)
  • Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') (2009-01-12)
  • Failure to Preserve OS Command Structure (aka 'OS Command Injection') (2009-05-27)
  • Failure to Preserve OS Command Structure ('OS Command Injection') (2009-07-27)
  • Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (2010-06-21)

Content submission

Name
PLOVER
Date
2006-07-19
Version
Draft 3

Content modifications

Date Name Version Importance Comment
2008-07-01 Sean Eidemiller 1.0 added/updated demonstrative examples
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-01 1.0 added/updated white box definitions
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Observed_Examples, Relationships, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes
2009-03-10 CWE Content Team 1.3 updated Potential_Mitigations
2009-05-27 CWE Content Team 1.4 updated Name, Related_Attack_Patterns
2009-07-17 KDM Analytics 1.5 Improved the White_Box_Definition
2009-07-27 CWE Content Team 1.5 updated Description, Name, White_Box_Definitions
2009-10-29 CWE Content Team 1.6 updated Observed_Examples, References
2009-12-28 CWE Content Team 1.7 updated Detection_Factors
2010-02-16 CWE Content Team 1.8 updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Potential_Mitigations
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations
2010-12-13 CWE Content Team 1.11 updated Description, Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples, Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Observed_Examples, Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
2018-03-27 CWE Content Team 3.1 updated Relationships
2019-01-03 CWE Content Team 3.2 updated References, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Relationships
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Observed_Examples, Potential_Mitigations
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Potential_Mitigations, Relationships
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Demonstrative_Examples
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated References
2023-01-31 CWE Content Team 4.10 updated Common_Consequences, Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-07-16 CWE Content Team 4.15 updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Diagram, References
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Relationships

Contributions

Type Name Date Comment
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence