CWE-77
Allowed-with-ReviewImproper Neutralization of Special Elements used in a Command ('Command Injection')
Abstraction: Class · Status: Draft
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
5381 vulnerabilities reference this CWE, most recent first.
GHSA-988V-V47J-CJ4P
Vulnerability from github – Published: 2024-01-26 09:30 – Updated: 2024-01-26 09:30A vulnerability was found in TRENDnet TEW-822DRE 1.03B02. It has been declared as critical. This vulnerability affects unknown code of the file /admin_ping.htm of the component POST Request Handler. The manipulation of the argument ipv4_ping/ipv6_ping leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252124. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-0920"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T09:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in TRENDnet TEW-822DRE 1.03B02. It has been declared as critical. This vulnerability affects unknown code of the file /admin_ping.htm of the component POST Request Handler. The manipulation of the argument ipv4_ping/ipv6_ping leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252124. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-988v-v47j-cj4p",
"modified": "2024-01-26T09:30:23Z",
"published": "2024-01-26T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0920"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.252124"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.252124"
},
{
"type": "WEB",
"url": "https://warp-desk-89d.notion.site/TEW-822DRE-5289eb95796749c2878843519ab451d8?pvs=4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-98F5-7JQ3-JHGQ
Vulnerability from github – Published: 2026-03-18 00:30 – Updated: 2026-03-18 00:30IBM Sterling B2B Integrator and and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could allow an unauthenticated attacker to send a specially crafted request that causes the application to crash.
{
"affected": [],
"aliases": [
"CVE-2025-14031"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T23:16:15Z",
"severity": "HIGH"
},
"details": "IBM Sterling B2B Integrator and\u00a0and IBM Sterling File Gateway\u00a06.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 could allow an unauthenticated attacker to send a specially crafted request that causes the application to crash.",
"id": "GHSA-98f5-7jq3-jhgq",
"modified": "2026-03-18T00:30:54Z",
"published": "2026-03-18T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14031"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7266520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98JH-MF4R-8HC8
Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the 'open_file' function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.
{
"affected": [],
"aliases": [
"CVE-2024-4267"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T20:15:09Z",
"severity": "HIGH"
},
"details": "A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the \u0027open_file\u0027 module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the \u0027open_file\u0027 function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the \u0027open_file\u0027 function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.",
"id": "GHSA-98jh-mf4r-8hc8",
"modified": "2024-05-22T21:30:35Z",
"published": "2024-05-22T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4267"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/5a127724-cc13-4ea6-b81f-41546a7fff81"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98P4-XJMM-8MFH
Vulnerability from github – Published: 2024-04-15 19:33 – Updated: 2024-07-05 18:07Summary
gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.
Details
This is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, gix-transport checks the host and path portions of a URL for text that has a - in a position that will cause ssh to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.
As in Git, when an address is a URL of the form ssh://username@hostname/path, or when it takes the special form username@hostname:dirs/repo, this is treated as an SSH URL. gix-transport will replace some characters in username with their %-based URL encodings, but otherwise passes username@hostname as an argument to the external ssh command. This happens even if username begins with a hyphen. In that case, ssh treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.
This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:
- The difficulty of forming an option argument
sshaccepts, given that characters such as=,/, and\, are URL-encoded,:is removed, and the argument passed tosshcontains the@sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.
The inability to include a literal = prevents the use of -oNAME=VALUE (e.g., -oProxyCommand=payload). The inability to include a literal / or \ prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a ~ character may be smuggled in, ssh does not perform its own tilde expansion, so it does not form an absolute path.)
- The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as
-Aand-Xtogether with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argumentgix-transportintends as a URL is treated as an option argument,sshtreats the subsequent non-option argumentgit-upload-packas the host instead of the command, but it is not a valid host name.
Although ssh supports aliases for hosts, even if git-upload-pack could be made an alias, that is made difficult by the URL-encoding transformation.
However, an attacker who is able to cause a specially named ssh configuration file to be placed in the current working directory can smuggle in an -F option referencing the file, and this allows arbitrary command execution.
This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.
Other avenues of exploitation exist, but appear to be less severe. For example, the -E option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of ssh.
PoC
To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named configfile@example.com, of the form
ProxyCommand payload
where payload is a command with an observable side effect. On Unix-like systems, this could be date | tee vulnerable or an xdg-open, open, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as calc.exe.
(Although the syntax permitted in the value of ProxyCommand may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in configfile@example.com as well.)
Then run:
gix clone 'ssh://-Fconfigfile@example.com/abc'
Or:
gix clone -- '-Fconfigfile@example.com:abc/def'
(The -- is required to ensure that gix is really passing the argument as a URL for use in gix-transport, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)
In either case, the payload specified in configfile@example.com runs, and its side effect can be observed.
Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file errors@example.com, or to create or append to its target if it is a symlink:
gix clone 'ssh://-Eerrors@example.com/abc'
gix clone -- '-Eerrors@example.com:abc/def'
Impact
As in https://github.com/advisories/GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the gix-transport library.
Users who use applications that make use of gix-transport are potentially vulnerable, especially:
- On repositories with submodules that are automatically added, depending how the application manages submodules.
- When operating on other repositories from inside an untrusted repository.
- When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "gix-transport"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.42.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "gix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.62"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "gitoxide"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.35"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32884"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-15T19:33:03Z",
"nvd_published_at": "2024-04-26T18:15:46Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.\n\n### Details\n\nThis is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, `gix-transport` checks the host and path portions of a URL for text that has a `-` in a position that will cause `ssh` to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.\n\nAs in Git, when an address is a URL of the form `ssh://username@hostname/path`, or when it takes the special form `username@hostname:dirs/repo`, this is treated as an SSH URL. `gix-transport` will replace some characters in `username` with their `%`-based URL encodings, but otherwise passes `username@hostname` as an argument to the external `ssh` command. This happens even if `username` begins with a hyphen. In that case, `ssh` treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.\n\nThis is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:\n\n- The difficulty of forming an option argument `ssh` accepts, given that characters such as `=`, `/`, and `\\`, are URL-encoded, `:` is removed, and the argument passed to `ssh` contains the `@` sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.\n\n The inability to include a literal `=` prevents the use of `-oNAME=VALUE` (e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\\` prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a `~` character may be smuggled in, `ssh` does not perform its own tilde expansion, so it does not form an absolute path.)\n\n- The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as `-A` and `-X` together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument `gix-transport` intends as a URL is treated as an option argument, `ssh` treats the subsequent non-option argument `git-upload-pack` as the host instead of the command, but it is not a valid host name.\n\n Although `ssh` supports aliases for hosts, even if `git-upload-pack` could be made an alias, that is made difficult by the URL-encoding transformation.\n\nHowever, an attacker who is able to cause a specially named `ssh` configuration file to be placed in the current working directory can smuggle in an `-F` option referencing the file, and this allows arbitrary command execution.\n\nThis scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.\n\nOther avenues of exploitation exist, but appear to be less severe. For example, the `-E` option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of `ssh`.\n\n### PoC\n\nTo reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named `configfile@example.com`, of the form\n\n```text\nProxyCommand payload\n```\n\nwhere `payload` is a command with an observable side effect. On Unix-like systems, this could be `date | tee vulnerable` or an `xdg-open`, `open`, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as `calc.exe`.\n\n(Although the syntax permitted in the value of `ProxyCommand` may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in `configfile@example.com` as well.)\n\nThen run:\n\n```sh\ngix clone \u0027ssh://-Fconfigfile@example.com/abc\u0027\n```\n\nOr:\n\n```sh\ngix clone -- \u0027-Fconfigfile@example.com:abc/def\u0027\n```\n\n(The `--` is required to ensure that `gix` is really passing the argument as a URL for use in `gix-transport`, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)\n\nIn either case, the payload specified in `configfile@example.com` runs, and its side effect can be observed.\n\nOther cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file `errors@example.com`, or to create or append to its target if it is a symlink:\n\n```sh\ngix clone \u0027ssh://-Eerrors@example.com/abc\u0027\n```\n\n```sh\ngix clone -- \u0027-Eerrors@example.com:abc/def\u0027\n```\n\n### Impact\n\nAs in https://github.com/advisories/GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the `gix-transport` library.\n\nUsers who use applications that make use of `gix-transport` are potentially vulnerable, especially:\n\n- On repositories with submodules that are automatically added, depending how the application manages submodules.\n- When operating on other repositories from inside an untrusted repository.\n- When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.\n",
"id": "GHSA-98p4-xjmm-8mfh",
"modified": "2024-07-05T18:07:37Z",
"published": "2024-04-15T19:33:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32884"
},
{
"type": "PACKAGE",
"url": "https://github.com/Byron/gitoxide"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "gix-transport indirect code execution via malicious username"
}
GHSA-98Q6-PQ9M-CHF7
Vulnerability from github – Published: 2026-01-26 06:30 – Updated: 2026-01-26 06:30A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
{
"affected": [],
"aliases": [
"CVE-2026-1419"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T05:16:05Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.",
"id": "GHSA-98q6-pq9m-chf7",
"modified": "2026-01-26T06:30:28Z",
"published": "2026-01-26T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1419"
},
{
"type": "WEB",
"url": "https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.342815"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.342815"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.736554"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-98QX-42H7-G53P
Vulnerability from github – Published: 2023-01-05 09:30 – Updated: 2023-01-11 18:30Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below.
{
"affected": [],
"aliases": [
"CVE-2022-43537"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T07:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below.",
"id": "GHSA-98qx-42h7-g53p",
"modified": "2023-01-11T18:30:31Z",
"published": "2023-01-05T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43537"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-020.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98RG-95R3-8MJW
Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-10 00:01An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process.
{
"affected": [],
"aliases": [
"CVE-2021-32933"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "CRITICAL"
},
"details": "An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. This could then be leveraged to run a malicious process.",
"id": "GHSA-98rg-95r3-8mjw",
"modified": "2022-04-10T00:01:05Z",
"published": "2022-04-03T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32933"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98VG-CQGX-463P
Vulnerability from github – Published: 2026-03-29 03:30 – Updated: 2026-03-29 03:30A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
{
"affected": [],
"aliases": [
"CVE-2026-5020"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-29T01:15:57Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.",
"id": "GHSA-98vg-cqgx-463p",
"modified": "2026-03-29T03:30:17Z",
"published": "2026-03-29T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5020"
},
{
"type": "WEB",
"url": "https://lavender-bicycle-a5a.notion.site/TOTOLINK_A3600R_setNoticeCfg-32253a41781f80c197eaf8e7558c5ed1?source=copy_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/779536"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/353905"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/353905/cti"
},
{
"type": "WEB",
"url": "https://www.totolink.net"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9947-RVQR-CP4Q
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-26 00:01A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-23673"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-17T18:15:00Z",
"severity": "HIGH"
},
"details": "A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.",
"id": "GHSA-9947-rvqr-cp4q",
"modified": "2022-05-26T00:01:13Z",
"published": "2022-05-18T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23673"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-995X-33WQ-8GC9
Vulnerability from github – Published: 2022-12-14 06:30 – Updated: 2023-08-08 22:09The package cycle-import-check before version 1.3.2 is vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cycle-import-check"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24377"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-14T21:40:46Z",
"nvd_published_at": "2022-12-14T05:15:00Z",
"severity": "CRITICAL"
},
"details": "The package cycle-import-check before version 1.3.2 is vulnerable to Command Injection via the `writeFileToTmpDirAndOpenIt` function due to improper user-input sanitization.",
"id": "GHSA-995x-33wq-8gc9",
"modified": "2023-08-08T22:09:46Z",
"published": "2022-12-14T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24377"
},
{
"type": "WEB",
"url": "https://github.com/Soontao/cycle-import-check/commit/1ca97b59df7e9c704471fcb4cf042ce76d7c9890"
},
{
"type": "PACKAGE",
"url": "https://github.com/Soontao/cycle-import-check"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CYCLEIMPORTCHECK-3157955"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "cycle-import-check vulnerable to Command Injection"
}
Mitigation
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Mitigation
If possible, ensure that all external commands called from the program are statically created.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
Mitigation
Assign permissions that prevent the user from accessing/opening privileged files.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-183: IMAP/SMTP Command Injection
An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
CAPEC-248: Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.