CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

We have discovered 430,000 live websites that are affected by CWE-78.

Available Reports

Website List

CVEs

Count - 25

CWE References

cwe.mitre.org

Website Distribution by Country

Number of websites using CWE-78

United States	113,604 websites

France	86,849 websites
Netherlands	37,306 websites
Germany	32,697 websites
Russia	20,667 websites
Cyprus	12,498 websites
Japan	11,679 websites
Australia	9,987 websites
Iran	9,030 websites
GB	8,183 websites

Website Distribution by TLD

Number of websites using CWE-78

.com	142,016 websites
.nl	34,609 websites
.fr	33,614 websites
.ru	20,330 websites
.org	17,608 websites
.de	14,002 websites
.net	11,289 websites
.com.br	10,701 websites
.co.uk	8,648 websites
.com.au	8,438 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-78

Discovered	CVE	Description	Websites
May, 2025	CVE-2025-24022	iTop server vulnerable to portal code injection	20
Apr, 2025	CVE-2025-43920	GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, all...	485
Mar, 2025	CVE-2025-30076	Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the too...	1,078
Jan, 2025	CVE-2025-22604	Cacti has Authenticated RCE via multi-line SNMP responses	73
Nov, 2024	CVE-2022-1884	Remote Command Execution in gogs/gogs	56
Nov, 2024	CVE-2024-51661	WordPress Media Library Assistant plugin <= 3.19 - Remote Code Execution (RCE) vulnerability	20
Oct, 2024	CVE-2024-45720	Apache Subversion: Command line argument injection on Windows platforms	7,003
Oct, 2024	CVE-2024-8926	PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)	342,063
Aug, 2024	CVE-2024-39401	Adobe Commerce \| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	3,696
Aug, 2024	CVE-2024-39402	Adobe Commerce \| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	3,696

The most widespread CVEs

List of the most common CVEs that are part of CWE-78

Discovered	CVE	Description	Websites
Oct, 2024	CVE-2024-8926	PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)	342,063
Jun, 2024	CVE-2024-4577	Argument Injection in PHP-CGI	118,500
Aug, 2021	CVE-2021-36011	Adobe Illustrator improper neutralization of special elements used in an OS command	74,515
Oct, 2024	CVE-2024-45720	Apache Subversion: Command line argument injection on Windows platforms	7,003
Aug, 2024	CVE-2024-39401	Adobe Commerce \| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	3,696
Aug, 2024	CVE-2024-39402	Adobe Commerce \| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	3,696
Sep, 2023	CVE-2021-36023	Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution	3,544
Feb, 2021	CVE-2021-21302	CSV Injection via csv export	1,823
Mar, 2025	CVE-2025-30076	Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the too...	1,078
Apr, 2025	CVE-2025-43920	GNU Mailman 2.1.39, as bundled in cPanel (and WHM), in certain external archiver configurations, all...	485

Websites affected by CWE-78

Top websites that are affected by CWE-78. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
******.com	United States	**
********.com	United States	***
******.com	United States	,**
*****.cz	Czech Republic	,**
******.******.it	Italy	,**
********.com	United States	,**
***********.de	Germany	,**
**********.com	United States	,**
***.gov	United States	,**
*******.com	Germany	,**

See full domain list