With a command injection attack, the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied OS commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This attack differs from code injection, in that code injection allows attackers to add their own code that is then executed by the application. In code injection, the attacker extends the default functionality of the application without the necessity of executing system commands.