Cyber Posture

CWE · MITRE source

CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')

Abstraction: Class · CVEs in our corpus: 3,365

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-3400 KEV9.710.00.94322024-04-12
CVE-2007-3010 KEV9.69.80.94022007-09-18
CVE-2012-1823 KEV9.69.80.94362012-05-11
CVE-2016-1555 KEV9.69.80.94332017-04-21
CVE-2021-1498 KEV9.69.80.94212021-05-06
CVE-2023-1671 KEV9.69.80.94302023-04-04
CVE-2023-20887 KEV9.69.80.94262023-06-07
CVE-2024-12356 KEV9.69.80.93862024-12-17
CVE-2016-20017 KEV9.59.80.92092022-10-19
CVE-2024-21887 KEV9.59.10.94412024-01-12
CVE-2023-1389 KEV9.48.80.93472023-03-15
CVE-2024-55956 KEV9.49.80.91222024-12-13
CVE-2005-2773 KEV9.39.80.89822005-09-02
CVE-2015-2051 KEV9.38.80.93022015-02-23
CVE-2023-2868 KEV9.39.40.90802023-05-24
CVE-2023-33538 KEV9.28.80.90572023-06-07
CVE-2024-3273 KEV9.17.30.94432024-04-04
CVE-2020-2509 KEV9.09.80.83962021-04-17
CVE-2019-0541 KEV8.88.80.83392019-01-08
CVE-2024-9380 KEV8.77.20.88142024-10-08
CVE-2017-6327 KEV8.48.80.76792017-08-11
CVE-2024-12987 KEV8.27.30.78992024-12-27
CVE-2016-100457.69.80.93372016-12-30
CVE-2019-54207.69.80.93752019-03-27
CVE-2020-131177.69.80.93872021-02-09