CWE-88— Argument Injection or Modification
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.— MITRE CWE catalog
372 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-88page 7 of 8
- CVE-2025-68144HIGHCVSS 7.1EG 7.12025-12-17
In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) wo…
- CVE-2026-0634HIGHCVSS 7.8EG 7.82026-04-02
Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.
- CVE-2026-0774HIGHCVSS 8.8EG 8.82026-01-23
WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not require…
- CVE-2026-11332HIGHCVSS 7.8EG 7.82026-06-05
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inje…
- CVE-2026-11968MEDIUMCVSS 5.5EG 5.52026-06-24
Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit
- CVE-2026-12530HIGHCVSS 7.3EG 7.32026-06-17
Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpr…
- CVE-2026-12856HIGHCVSS 8.8EG 8.82026-06-29
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands.…
- CVE-2026-14459HIGHCVSS 8.8EG 8.82026-07-03
Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows Argument Injection. This issue affects pardus-software: fro…
- CVE-2026-20016MEDIUMCVSS 6.7EG 6.02026-03-04
A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-l…
- CVE-2026-22168MEDIUMCVSS 6.5EG 6.52026-03-18
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign…
- CVE-2026-22582CRITICALCVSS 9.8EG 9.82026-01-24
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud E…
- CVE-2026-22583CRITICALCVSS 9.8EG 9.82026-01-24
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud …
- CVE-2026-24061CRITICALCVSS 9.8EG 9.8⚠ KEV2026-01-21
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
- CVE-2026-2449CRITICALCVSS 9.0EG 9.02026-04-14
Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant …
- CVE-2026-24739MEDIUMCVSS 6.3EG 6.32026-01-28
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=…
- CVE-2026-25134HIGHCVSS 8.8EG 8.82026-02-02
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a syst…
- CVE-2026-25690MEDIUMCVSS 4.0EG 4.32026-05-12
An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all …
- CVE-2026-29608MEDIUMCVSS 6.7EG 6.72026-03-19
OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended cod…
- CVE-2026-29954HIGHCVSS 7.6EG 7.62026-03-30
In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address.…
- CVE-2026-31230CRITICALCVSS 9.8EG 9.82026-05-12
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string val…
- CVE-2026-32304CRITICALCVSS 9.8EG 9.82026-03-13
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, a…
- CVE-2026-34769HIGHCVSS 8.8EG 7.72026-04-04
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switch…
- CVE-2026-35033CRITICALCVSS 9.1EG 9.12026-04-14
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The Pars…
- CVE-2026-3515HIGHCVSS 8.5EG 8.52026-05-24
A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated …
- CVE-2026-35153MEDIUMCVSS 6.7EG 6.72026-04-17
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command …
- CVE-2026-35538LOWCVSS 3.1EG 3.12026-04-03
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
- CVE-2026-35585HIGHCVSS 7.2EG 7.22026-04-07
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shel…
- CVE-2026-39884HIGHCVSS 8.3EG 8.32026-04-15
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command…
- CVE-2026-40047CRITICALCVSS 9.1EG 9.12026-07-06
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument lis…
- CVE-2026-40079CRITICALCVSS 9.8EG 9.82026-06-25
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is…
- CVE-2026-40113HIGHCVSS 8.4EG 8.42026-04-09
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without v…
- CVE-2026-40281CRITICALCVSS 10.0EG 10.02026-05-06
Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata…
- CVE-2026-40938HIGHCVSS 8.5EG 7.52026-04-21
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as …
- CVE-2026-41013HIGHCVSS 8.1EG 8.12026-06-01
Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privile…
- CVE-2026-4145HIGHCVSS 7.8EG 7.82026-04-15
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.
- CVE-2026-41570HIGHCVSS 7.8EG 7.82026-05-08
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metachara…
- CVE-2026-42266HIGHCVSS 8.8EG 8.82026-05-13
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_ex…
- CVE-2026-42284HIGHCVSS 8.1EG 8.12026-05-07
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config…
- CVE-2026-42601CRITICALCVSS 9.8EG 9.82026-05-09
ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config…
- CVE-2026-43893HIGHCVSS 8.2EG 8.22026-05-11
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-…
- CVE-2026-43941CRITICALCVSS 9.6EG 8.82026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any…
- CVE-2026-43943HIGHCVSS 7.8EG 7.82026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. …
- CVE-2026-44193CRITICALCVSS 9.1EG 9.12026-05-13
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.
- CVE-2026-4438MEDIUMCVSS 5.4EG 5.42026-03-20
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in vio…
- CVE-2026-44449CRITICALCVSS 9.1EG 9.12026-05-26
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated dir…
- CVE-2026-44450CRITICALCVSS 9.9EG 9.92026-05-26
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Ev…
- CVE-2026-44712HIGHCVSS 8.2EG 8.22026-05-27
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesy…
- CVE-2026-44790HIGHCVSS 8.8EG 8.82026-06-23
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to …
- CVE-2026-45158CRITICALCVSS 9.1EG 9.12026-05-13
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as roo…
- CVE-2026-45181MEDIUMCVSS 6.5EG 6.52026-05-09
Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim uses an attacker-supplied .i64 file.
Map vulnerabilities like CWE-88 to your infrastructure
EchelonGraph correlates every CVE — across CWE-88 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →