VYPR

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

BaseDraft

Description

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-137 · CAPEC-174 · CAPEC-41 · CAPEC-460 · CAPEC-88

CVEs mapped to this weakness (169)

page 6 of 9
  • CVE-1999-0113May 23, 1994
    risk 0.04cvss epss 0.17

    Some implementations of rlogin allow root access if given a -froot parameter.

  • CVE-2006-6597Dec 15, 2006
    risk 0.03cvss epss 0.02

    Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe.

  • CVE-2022-23221Jan 19, 2022
    risk 0.02cvss epss 0.65

    H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

  • CVE-2006-4692Oct 10, 2006
    risk 0.02cvss epss 0.27

    Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename…

  • CVE-2003-0907Jun 1, 2004
    risk 0.02cvss epss 0.22

    Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.

  • CVE-2006-2056Apr 26, 2006
    risk 0.01cvss epss 0.13

    Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook…

  • CVE-2006-2055Apr 26, 2006
    risk 0.01cvss epss 0.15

    Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an…

  • CVE-2004-0480Dec 6, 2004
    risk 0.01cvss epss 0.09

    Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe.

  • CVE-2004-0489Jul 7, 2004
    risk 0.01cvss epss 0.07

    Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option.

  • CVE-2004-0411Jul 7, 2004
    risk 0.01cvss epss 0.08

    The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs,…

  • CVE-2026-12530Jun 17, 2026
    risk 0.00cvss epss 0.00

    Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name…

  • CVE-2026-44210May 26, 2026
    risk 0.00cvss epss 0.00

    ## Summary Kata Containers ships with a default configuration that allows pod creators to inject arbitrary command-line arguments into the virtiofsd process through the `io.katacontainers.config.hypervisor.virtio_fs_extra_args` pod annotation. By injecting `-o source=/` along…

  • CVE-2026-44968May 14, 2026
    risk 0.00cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters…

  • CVE-2026-29608Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different…

  • CVE-2026-22168Mar 18, 2026
    risk 0.00cvss epss 0.00

    OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle…

  • CVE-2026-28470Mar 5, 2026
    risk 0.00cvss epss 0.00

    OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $()…

  • CVE-2026-26194Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.…

  • CVE-2026-24126Feb 18, 2026
    risk 0.00cvss epss 0.00

    Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access…

  • CVE-2026-24739Jan 28, 2026
    risk 0.00cvss epss 0.00

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping…

  • CVE-2025-59937Sep 29, 2025
    risk 0.00cvss epss 0.01

    go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a…