CWE · MITRE source
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-27 | Platform-independent Applications | SC | Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection. |
SI-10 | Information Input Validation | SI | Validates inputs to block special elements that would alter OS command execution. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-1212 KEV | 9.7 | 10.0 | 0.9430 | 2024-02-21 |
CVE-2024-50603 KEV | 9.7 | 10.0 | 0.9436 | 2025-01-08 |
CVE-2014-6271 KEV | 9.6 | 9.8 | 0.9422 | 2014-09-24 |
CVE-2018-6530 KEV | 9.6 | 9.8 | 0.9429 | 2018-03-06 |
CVE-2018-10562 KEV | 9.6 | 9.8 | 0.9403 | 2018-05-04 |
CVE-2018-11138 KEV | 9.6 | 9.8 | 0.9344 | 2018-05-31 |
CVE-2018-14933 KEV | 9.6 | 9.8 | 0.9387 | 2018-08-04 |
CVE-2019-3929 KEV | 9.6 | 9.8 | 0.9425 | 2019-04-30 |
CVE-2017-18368 KEV | 9.6 | 9.8 | 0.9359 | 2019-05-02 |
CVE-2019-10149 KEV | 9.6 | 9.8 | 0.9392 | 2019-06-05 |
CVE-2019-7256 KEV | 9.6 | 9.8 | 0.9440 | 2019-07-02 |
CVE-2019-15107 KEV | 9.6 | 9.8 | 0.9446 | 2019-08-16 |
CVE-2019-16057 KEV | 9.6 | 9.8 | 0.9405 | 2019-09-16 |
CVE-2019-16920 KEV | 9.6 | 9.8 | 0.9434 | 2019-09-27 |
CVE-2020-7247 KEV | 9.6 | 9.8 | 0.9411 | 2020-01-29 |
CVE-2020-8515 KEV | 9.6 | 9.8 | 0.9436 | 2020-02-01 |
CVE-2020-9054 KEV | 9.6 | 9.8 | 0.9426 | 2020-03-04 |
CVE-2020-10987 KEV | 9.6 | 9.8 | 0.9368 | 2020-07-13 |
CVE-2020-25223 KEV | 9.6 | 9.8 | 0.9423 | 2020-09-25 |
CVE-2020-16846 KEV | 9.6 | 9.8 | 0.9439 | 2020-11-06 |
CVE-2020-25506 KEV | 9.6 | 9.8 | 0.9429 | 2021-02-02 |
CVE-2021-22502 KEV | 9.6 | 9.8 | 0.9376 | 2021-02-08 |
CVE-2021-1497 KEV | 9.6 | 9.8 | 0.9436 | 2021-05-06 |
CVE-2021-1498 KEV | 9.6 | 9.8 | 0.9421 | 2021-05-06 |
CVE-2021-36380 KEV | 9.6 | 9.8 | 0.9364 | 2021-08-13 |