CWE•Base•Stable•20 recent CVEs
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
[object Object]
Common consequences
- Confidentiality,Integrity,Availability,Non-Repudiation→Execute Unauthorized Code or Commands,DoS: Crash, Exit, or Restart,Read Files or Directories,Modify Files or DirectoriesAttackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is
Potential mitigations
- Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
- Architecture and Design,Operation[object Object]
- Architecture and DesignFor any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
- Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- Architecture and Design[object Object]
- ImplementationWhile it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or whit
- ImplementationIf the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
- Architecture and Design[object Object]
- Implementation[object Object]
- Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Related CWEs
CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Recent CVEs classified under this CWE
CVE-2026-405197.52026-06-08CVE-2026-105446.52026-06-08CVE-2026-89132026-06-08CVE-2026-115568.82026-06-08CVE-2026-258558.82026-06-08CVE-2026-114086.32026-06-06CVE-2026-457772026-06-05CVE-2026-256236.02026-06-05CVE-2026-256226.02026-06-05CVE-2026-256216.02026-06-05CVE-2026-256206.02026-06-05CVE-2026-463992026-06-05CVE-2026-463942026-06-05CVE-2026-494928.82026-06-05CVE-2026-457509.02026-06-05CVE-2026-457489.82026-06-05CVE-2026-457449.92026-06-05CVE-2026-113416.32026-06-05CVE-2026-218372026-06-05CVE-2026-108737.22026-06-04