CWE · MITRE source
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection: From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 14 mapping(s) from 5 framework(s): CAPEC 5 (full) · ATT&CK 4 (mostly) · ASVS 5.0 2 (full) · CSF 2.0 2 (mostly) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A05:2025 Injection.
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-27 | Platform-independent Applications | SC | Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection. |
SI-10 | Information Input Validation | SI | Validates inputs to block special elements that would alter OS command execution. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2014-6271 KEV | 10.0 | 9.8 | 1.0000 | 2014-09-24 |
CVE-2014-7169 KEV | 10.0 | 9.8 | 0.9994 | 2014-09-25 |
CVE-2014-6278 KEV | 10.0 | 8.8 | 0.9962 | 2014-09-30 |
CVE-2017-6077 KEV | 10.0 | 9.8 | 0.6820 | 2017-02-22 |
CVE-2017-6334 KEV | 10.0 | 8.8 | 0.7220 | 2017-03-06 |
CVE-2017-6884 KEV | 10.0 | 8.8 | 0.3763 | 2017-04-06 |
CVE-2017-3506 KEV | 10.0 | 7.4 | 0.9601 | 2017-04-24 |
CVE-2018-6530 KEV | 10.0 | 9.8 | 0.9663 | 2018-03-06 |
CVE-2018-10562 KEV | 10.0 | 9.8 | 0.9995 | 2018-05-04 |
CVE-2018-11138 KEV | 10.0 | 9.8 | 0.9193 | 2018-05-31 |
CVE-2018-6961 KEV | 10.0 | 8.1 | 0.8643 | 2018-06-11 |
CVE-2018-9276 KEV | 10.0 | 7.2 | 0.8717 | 2018-07-02 |
CVE-2018-14933 KEV | 10.0 | 9.8 | 0.9375 | 2018-08-04 |
CVE-2018-14558 KEV | 10.0 | 9.8 | 0.0867 | 2018-10-30 |
CVE-2019-1652 KEV | 10.0 | 7.2 | 0.9592 | 2019-01-24 |
CVE-2019-11001 KEV | 10.0 | 7.2 | 0.3837 | 2019-04-08 |
CVE-2019-11539 KEV | 10.0 | 7.2 | 0.9862 | 2019-04-26 |
CVE-2019-3929 KEV | 10.0 | 9.8 | 0.9895 | 2019-04-30 |
CVE-2017-18368 KEV | 10.0 | 9.8 | 0.9451 | 2019-05-02 |
CVE-2018-14839 KEV | 10.0 | 9.8 | 0.8935 | 2019-05-14 |
CVE-2019-10149 KEV | 10.0 | 9.8 | 0.9996 | 2019-06-05 |
CVE-2019-7256 KEV | 10.0 | 9.8 | 0.9714 | 2019-07-02 |
CVE-2019-12991 KEV | 10.0 | 8.8 | 0.7388 | 2019-07-16 |
CVE-2019-15107 KEV | 10.0 | 9.8 | 0.9977 | 2019-08-16 |
CVE-2019-15949 KEV | 10.0 | 8.8 | 0.7774 | 2019-09-05 |