VYPR

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

BaseDraft

Description

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-137 · CAPEC-174 · CAPEC-41 · CAPEC-460 · CAPEC-88

CVEs mapped to this weakness (169)

page 7 of 9
  • CVE-2025-27146Feb 25, 2025
    risk 0.00cvss epss 0.00

    matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user.…

  • CVE-2025-21613Jan 6, 2025
    risk 0.00cvss epss 0.01

    go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack…

  • CVE-2024-39930Jul 4, 2024
    risk 0.00cvss epss 0.07

    The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…

  • CVE-2024-39933Jul 4, 2024
    risk 0.00cvss epss 0.01

    Gogs through 0.13.0 allows argument injection during the tagging of a new release.

  • CVE-2024-3817Apr 17, 2024
    risk 0.00cvss epss 0.01

    HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.

  • CVE-2024-23731Jan 21, 2024
    risk 0.00cvss epss 0.01

    The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.

  • CVE-2023-26143Sep 19, 2023
    risk 0.00cvss epss 0.01

    Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the…

  • CVE-2023-34395Jun 27, 2023
    risk 0.00cvss epss 0.01

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow…

  • CVE-2022-43758Feb 7, 2023
    risk 0.00cvss epss 0.01

    A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users…

  • CVE-2022-31249Feb 7, 2023
    risk 0.00cvss epss 0.04

    A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher…

  • CVE-2022-4864Dec 30, 2022
    risk 0.00cvss epss 0.00

    Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

  • CVE-2022-42968Oct 16, 2022
    risk 0.00cvss epss 0.01

    Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.

  • CVE-2022-36069Sep 7, 2022
    risk 0.00cvss epss 0.01

    Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands,…

  • CVE-2022-25973Aug 10, 2022
    risk 0.00cvss epss 0.00

    All versions of package mc-kill-port are vulnerable to Arbitrary Command Execution via the kill function, due to missing sanitization of the port argument.

  • CVE-2022-25168Aug 4, 2022
    risk 0.00cvss epss 0.03

    Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It…

  • CVE-2019-10800Jul 13, 2022
    risk 0.00cvss epss 0.01

    This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.

  • CVE-2022-25900Jul 1, 2022
    risk 0.00cvss epss 0.03

    All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

  • CVE-2022-24376Jun 10, 2022
    risk 0.00cvss epss 0.03

    All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README…

  • CVE-2021-33473Jun 2, 2022
    risk 0.00cvss epss 0.01

    An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.

  • CVE-2022-30284May 4, 2022
    risk 0.00cvss epss 0.05

    In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). NOTE: the vendor believes it would be unrealistic for an application to call NmapProcess with arguments taken from input…