CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Description
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-137 · CAPEC-174 · CAPEC-41 · CAPEC-460 · CAPEC-88
CVEs mapped to this weakness (169)
page 7 of 9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27146 | 0.00 | — | 0.00 | Feb 25, 2025 | matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user.… | |||
| CVE-2025-21613 | 0.00 | — | 0.01 | Jan 6, 2025 | go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack… | |||
| CVE-2024-39930 | 0.00 | — | 0.07 | Jul 4, 2024 | The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server… | |||
| CVE-2024-39933 | 0.00 | — | 0.01 | Jul 4, 2024 | Gogs through 0.13.0 allows argument injection during the tagging of a new release. | |||
| CVE-2024-3817 | — | 0.00 | — | 0.01 | Apr 17, 2024 | HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package. | ||
| CVE-2024-23731 | — | 0.00 | — | 0.01 | Jan 21, 2024 | The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument. | ||
| CVE-2023-26143 | — | 0.00 | — | 0.01 | Sep 19, 2023 | Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the… | ||
| CVE-2023-34395 | 0.00 | — | 0.01 | Jun 27, 2023 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow… | |||
| CVE-2022-43758 | 0.00 | — | 0.01 | Feb 7, 2023 | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users… | |||
| CVE-2022-31249 | 0.00 | — | 0.04 | Feb 7, 2023 | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher… | |||
| CVE-2022-4864 | 0.00 | — | 0.00 | Dec 30, 2022 | Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||
| CVE-2022-42968 | 0.00 | — | 0.01 | Oct 16, 2022 | Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled. | |||
| CVE-2022-36069 | 0.00 | — | 0.01 | Sep 7, 2022 | Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands,… | |||
| CVE-2022-25973 | — | 0.00 | — | 0.00 | Aug 10, 2022 | All versions of package mc-kill-port are vulnerable to Arbitrary Command Execution via the kill function, due to missing sanitization of the port argument. | ||
| CVE-2022-25168 | — | 0.00 | — | 0.03 | Aug 4, 2022 | Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It… | ||
| CVE-2019-10800 | — | 0.00 | — | 0.01 | Jul 13, 2022 | This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method. | ||
| CVE-2022-25900 | — | 0.00 | — | 0.03 | Jul 1, 2022 | All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git. | ||
| CVE-2022-24376 | — | 0.00 | — | 0.03 | Jun 10, 2022 | All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README… | ||
| CVE-2021-33473 | — | 0.00 | — | 0.01 | Jun 2, 2022 | An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL. | ||
| CVE-2022-30284 | — | 0.00 | — | 0.05 | May 4, 2022 | In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments taken from input… |
- CVE-2025-27146Feb 25, 2025risk 0.00cvss —epss 0.00
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user.…
- CVE-2025-21613Jan 6, 2025risk 0.00cvss —epss 0.01
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack…
- CVE-2024-39930Jul 4, 2024risk 0.00cvss —epss 0.07
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…
- CVE-2024-39933Jul 4, 2024risk 0.00cvss —epss 0.01
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
- CVE-2024-3817Apr 17, 2024risk 0.00cvss —epss 0.01
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
- CVE-2024-23731Jan 21, 2024risk 0.00cvss —epss 0.01
The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.
- CVE-2023-26143Sep 19, 2023risk 0.00cvss —epss 0.01
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the…
- CVE-2023-34395Jun 27, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow…
- CVE-2022-43758Feb 7, 2023risk 0.00cvss —epss 0.01
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users…
- CVE-2022-31249Feb 7, 2023risk 0.00cvss —epss 0.04
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher…
- CVE-2022-4864Dec 30, 2022risk 0.00cvss —epss 0.00
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2022-42968Oct 16, 2022risk 0.00cvss —epss 0.01
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
- CVE-2022-36069Sep 7, 2022risk 0.00cvss —epss 0.01
Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands,…
- CVE-2022-25973Aug 10, 2022risk 0.00cvss —epss 0.00
All versions of package mc-kill-port are vulnerable to Arbitrary Command Execution via the kill function, due to missing sanitization of the port argument.
- CVE-2022-25168Aug 4, 2022risk 0.00cvss —epss 0.03
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It…
- CVE-2019-10800Jul 13, 2022risk 0.00cvss —epss 0.01
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
- CVE-2022-25900Jul 1, 2022risk 0.00cvss —epss 0.03
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.
- CVE-2022-24376Jun 10, 2022risk 0.00cvss —epss 0.03
All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README…
- CVE-2021-33473Jun 2, 2022risk 0.00cvss —epss 0.01
An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.
- CVE-2022-30284May 4, 2022risk 0.00cvss —epss 0.05
In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments taken from input…