CWE hub
The product constructs all or part of a command using externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command.
Mapped CVEs
1961
Records currently returned for this weakness id.
Top vendor
netgear
173 mapped CVEs in the aggregate scan.
Top product
rbk852 firmware
93 mapped CVEs in the aggregate scan.
KEV on page
0
Visible rows already present in the CISA KEV catalog.
Top products
Attack patterns (CAPEC)
MITRE CAPEC 3.9 — adversary techniques known to exploit this weakness.
Adversary uses delimiter characters to chain unintended commands onto a legitimate one.
Adversary manipulates LDAP statements via unsanitized input to alter directory queries.
Adversary inserts commands into application input that is later passed to a command interpreter.
Search results
Showing 1-25 of 1,961 vulnerabilities.
A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. This affects the function sub_41A68C of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument setUssd results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
7.4
HIGH
Published
May 1, 2026
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument proto leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
May 1, 2026
A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
CVSS
2.1
LOW
Published
Apr 30, 2026
A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 30, 2026
A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 29, 2026
A vulnerability was found in PolarVista xcode-mcp-server 1.0.0. This issue affects the function build_project/run_tests of the file src/index.ts of the component MCP Interface. The manipulation of the argument Request results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 29, 2026
A vulnerability has been found in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 28, 2026
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument merge results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument maxRtrAdvInterval leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnClientCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enabled can lead to os command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wifiOff results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability has been found in jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620. This impacts an unknown function of the file fastly-mcp.mjs of the component fastly_cli Tool. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 28, 2026
A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 28, 2026
A weakness has been identified in dvladimirov MCP up to 0.1.0. The impacted element is the function GitSearchRequest of the file mcp_server.py of the component Git Search API. Executing a manipulation of the argument repo_url/pattern can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 28, 2026
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 28, 2026
A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the argument datasize can lead to command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
CVSS
7.4
HIGH
Published
Apr 27, 2026
A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py of the component aider_ai_code. This manipulation of the argument relative_editable_files causes command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
5.5
MEDIUM
Published
Apr 27, 2026
A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument HTTP results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 27, 2026
A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 27, 2026
A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 27, 2026
A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 27, 2026
A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Affected vendor
Structured metadata unavailable
Affected product
Product metadata unavailable
Coverage
No structured product entries
CVSS
8.9
HIGH
Published
Apr 27, 2026
