Critical severity9.8NVD Advisory· Published Apr 10, 2024· Updated May 15, 2026

CVE-2024-3566

Description

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Affected products

Haskell/Process Library
cpe:2.3:a:haskell:process_library:*:*:*:*:*:*:*:*
Range: <1.6.19.0
Node.js/Node.js
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Range: <18.20.2
PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: <8.1.28
Rust Lang/Rust
cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
Range: <1.77.2
Yt Dlp Project/Yt Dlp
cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*
Range: >=2021.04.11,<2024.04.09
Haskell Programming Language/Haskelv5
Range: *
Go Programming Language/Golangv5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/nvdExploitThird Party Advisory
github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566nvdThird Party Advisory
kb.cert.org/vuls/id/123335nvdThird Party Advisory
learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-waynvdTechnical Description
www.cve.org/CVERecordnvdNot Applicable
www.cve.org/CVERecordnvdNot Applicable
www.cve.org/CVERecordnvdNot Applicable
www.kb.cert.org/vuls/id/123335nvdNot Applicable

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000