Common Weakness Enumeration

CWE-88

Allowed

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Abstraction: Base · Status: Draft

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

550 vulnerabilities reference this CWE, most recent first.

GHSA-FJP9-R788-525G

Vulnerability from github – Published: 2023-08-04 18:30 – Updated: 2024-04-04 06:33
VLAI
Details

Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-04T18:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.",
  "id": "GHSA-fjp9-r788-525g",
  "modified": "2024-04-04T06:33:59Z",
  "published": "2023-08-04T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33376"
    },
    {
      "type": "WEB",
      "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33376"
    },
    {
      "type": "WEB",
      "url": "https://www.connectedio.com/products/routers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMFV-JGWF-V4G5

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

NBBDownloader.ocx ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-29T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "NBBDownloader.ocx ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.",
  "id": "GHSA-fmfv-jgwf-v4g5",
  "modified": "2022-05-24T17:45:37Z",
  "published": "2022-05-24T17:45:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7850"
    },
    {
      "type": "WEB",
      "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35982"
    },
    {
      "type": "WEB",
      "url": "http://help.neobizbox.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FPJG-6CR9-C772

Vulnerability from github – Published: 2023-08-26 00:30 – Updated: 2024-04-04 07:13
VLAI
Details

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-25T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.",
  "id": "GHSA-fpjg-6cr9-c772",
  "modified": "2024-04-04T07:13:25Z",
  "published": "2023-08-26T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39287"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR32-GR5C-XQ5C

Vulnerability from github – Published: 2019-06-20 16:06 – Updated: 2023-08-28 13:19
VLAI
Summary
RubyGems Escape sequence injection vulnerability in verbose
Details

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubygems-update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubygems-update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-8321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-20T16:00:39Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.",
  "id": "GHSA-fr32-gr5c-xq5c",
  "modified": "2023-08-28T13:19:04Z",
  "published": "2019-06-20T16:06:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8321"
    },
    {
      "type": "WEB",
      "url": "https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2019-8321.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RubyGems Escape sequence injection vulnerability in verbose"
}

GHSA-FRVQ-JF8M-34Q5

Vulnerability from github – Published: 2024-08-28 03:31 – Updated: 2024-08-28 03:31
VLAI
Details

The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-28T03:15:03Z",
    "severity": "MODERATE"
  },
  "details": "The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the \u0027search\u0027 function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.",
  "id": "GHSA-frvq-jf8m-34q5",
  "modified": "2024-08-28T03:31:15Z",
  "published": "2024-08-28T03:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7573"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3135074/relevanssi-live-ajax-search"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVH3-672C-7P6C

Vulnerability from github – Published: 2026-03-27 06:31 – Updated: 2026-05-13 13:44
VLAI
Summary
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key
Details

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.

This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ai:spring-ai-vector-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ai:spring-ai-vector-store"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0-M1"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88",
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:31:52Z",
    "nvd_published_at": "2026-03-27T06:16:37Z",
    "severity": "CRITICAL"
  },
  "details": "In Spring AI, a SpEL injection vulnerability exists in\u00a0SimpleVectorStore\u00a0when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u00a0Only applications that use\u00a0SimpleVectorStore\u00a0and pass user-supplied input as a filter expression key are affected.\n\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.",
  "id": "GHSA-fvh3-672c-7p6c",
  "modified": "2026-05-13T13:44:15Z",
  "published": "2026-03-27T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-ai/commit/ba9220b22383e430d5f801ce8e4fa01cf9e75f29"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-ai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-ai/releases/tag/v1.0.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-ai/releases/tag/v1.1.4"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-22738"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key"
}

GHSA-FVXX-GGMX-3CJG

Vulnerability from github – Published: 2026-04-10 19:22 – Updated: 2026-04-10 19:22
VLAI
Summary
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars
Details

Summary

deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service.

Grep Commands and Evidence

Step 1. Confirm the vulnerable string construction at line 150

    grep -n "set-env-vars\|openai_key\|openai_base\|openai_model" \
      src/praisonai/praisonai/deploy.py
Expected output showing unsanitized interpolation:
150:  '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'

Step 2. Confirm no comma validation exists before this line

    grep -n "comma\|assertNotIn\|ValueError\|sanitize\|strip\|replace" \
      src/praisonai/praisonai/deploy.py
Expected output: no results related to input validation

Step 3. View the full context of the vulnerable construction

    sed -n '140,165p' \
      src/praisonai/praisonai/deploy.py
This block shows the gcloud command list where the three values are
joined into one comma-separated string passed as a single argument
element. gcloud receives this string and applies its own
comma-based parsing, which the subprocess list form cannot prevent.

Step 4. Confirm subprocess is called without shell=True

    grep -n "subprocess\|Popen\|shell=" \
      src/praisonai/praisonai/deploy.py
This confirms shell=False (default), meaning the injection is at the
gcloud argument level, not the shell level. The comma delimiter is
parsed by gcloud itself, not by /bin/sh.

Step 5. Confirm no existing advisory covers this file

    grep -rn "deploy.py\|set.env.vars\|openai_base" \
      src/praisonai/praisonai/deploy.py

Vulnerability Description

File: src/praisonai/praisonai/deploy.py

Vulnerable line:

  150: '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'

The three values openai_model, openai_key, and openai_base originate from environment variables or user-provided configuration and are interpolated directly into a single f-string without validation.

The subprocess call uses a Python list without shell=True. This means there is no shell injection. The subprocess module passes the f-string as one complete argument to gcloud. gcloud then applies its own internal parsing to the value of --set-env-vars using a comma as the delimiter. This parsing is entirely outside Python's control.

If any of the three values contains a comma, gcloud splits on that comma and creates an additional KEY=VALUE environment variable from the text following it. There is no error or warning from gcloud when this occurs.

The three values are attacker-controllable in any scenario where environment variables can be set before the deploy command runs. This includes compromised dotenv files, poisoned CI pipeline secrets, and local developer machines where an attacker has shell access.

Proof of Concept

 attacker-controlled openai_base value:

    export OPENAI_API_KEY="sk-legitimate-key"
    export OPENAI_MODEL_NAME="gpt-4"
    export OPENAI_API_BASE="https://api.openai.com/v1,INJECTED=attacker_value"

Run the deploy command. The string constructed at line 150 becomes:

    OPENAI_MODEL_NAME=gpt-4,OPENAI_API_KEY=sk-legitimate-key,OPENAI_API_BASE=https://api.openai.com/v1,INJECTED=attacker_value

gcloud parses this as four key-value pairs and creates all four as environment variables in the Cloud Run service. INJECTED=attacker_value is a real environment variable available to every request the service handles.

Verify the injection after deployment:

    gcloud run services describe praisonai-service \
      --region us-central1 \
      --format "value(spec.template.spec.containers[0].env)"

The output includes INJECTED alongside the three legitimate variables.

API key override:

export OPENAI_API_KEY="sk-real,OPENAI_API_KEY=sk-attacker"

The constructed string contains OPENAI_API_KEY twice. In gcloud versions where the last-defined value takes precedence, the deployed service uses sk-attacker for all LLM API calls. All agent traffic routes through the attacker-controlled API account.

Impact

An attacker who can influence any of the three environment variables before deploy.py runs can inject arbitrary environment variables into the deployed Cloud Run production service without triggering any error.

Injection scenarios include a malicious git hook that modifies a dotenv file before deployment, a compromised CI pipeline secret, or any local access that allows setting environment variables in the deploy shell session.

Consequences include overriding the API key used by the production service, injecting proxy settings that redirect all outbound LLM traffic, setting debug or verbose flags that write sensitive data to Cloud Run logs, and overriding any security-relevant variable the service reads from its environment.

The API key override scenario is the highest-impact case. All production LLM calls made by the deployed service are billed to and logged by the attacker's API account, giving the attacker full visibility into every agent prompt and response processed in production.

Recommended Fix

Pass each variable as a separate --update-env-vars flag so each value is an isolated argument and gcloud never performs comma-based parsing across multiple values:

Before:
  ['gcloud', 'run', 'deploy', 'praisonai-service',
   '--set-env-vars',
   f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}']

After:
  ['gcloud', 'run', 'deploy', 'praisonai-service',
   '--update-env-vars', f'OPENAI_MODEL_NAME={openai_model}',
   '--update-env-vars', f'OPENAI_API_KEY={openai_key}',
   '--update-env-vars', f'OPENAI_API_BASE={openai_base}']

Each --update-env-vars element is a separate string in the subprocess list. The subprocess module passes each as a distinct argument to gcloud. gcloud receives three separate single-variable assignments and performs no cross-argument comma parsing.

Add pre-flight validation as a secondary control:

for label, value in [
    ("OPENAI_MODEL_NAME", openai_model),
    ("OPENAI_API_KEY", openai_key),
    ("OPENAI_API_BASE", openai_base),
]:
    if "," in value:
        raise ValueError(
            f"{label} contains a comma and would corrupt "
            f"--set-env-vars: {value!r}"
        )

References

CWE-88 Improper Neutralization of Argument Delimiters in a Command gcloud run deploy documentation for --set-env-vars KEY=VALUE comma delimiter specification

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.128"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:22:37Z",
    "nvd_published_at": "2026-04-09T22:16:34Z",
    "severity": "HIGH"
  },
  "details": "**Summary**\n\ndeploy.py constructs a single comma-delimited string for the gcloud run\ndeploy --set-env-vars argument by directly interpolating openai_model,\nopenai_key, and openai_base without validating that these values do not\ncontain commas. gcloud uses a comma as the key-value pair separator for\n--set-env-vars. A comma in any of the three values causes gcloud to\nparse the trailing text as additional KEY=VALUE definitions, injecting\narbitrary environment variables into the deployed Cloud Run service.\n\n\nGrep Commands and Evidence\n\nStep 1. Confirm the vulnerable string construction at line 150\n```\n    grep -n \"set-env-vars\\|openai_key\\|openai_base\\|openai_model\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    Expected output showing unsanitized interpolation:\n    150:  \u0027--set-env-vars\u0027, f\u0027OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}\u0027\n\nStep 2. Confirm no comma validation exists before this line\n```\n    grep -n \"comma\\|assertNotIn\\|ValueError\\|sanitize\\|strip\\|replace\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    Expected output: no results related to input validation\n\nStep 3. View the full context of the vulnerable construction\n```\n    sed -n \u0027140,165p\u0027 \\\n      src/praisonai/praisonai/deploy.py\n```\n    This block shows the gcloud command list where the three values are\n    joined into one comma-separated string passed as a single argument\n    element. gcloud receives this string and applies its own\n    comma-based parsing, which the subprocess list form cannot prevent.\n\nStep 4. Confirm subprocess is called without shell=True\n```\n    grep -n \"subprocess\\|Popen\\|shell=\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    This confirms shell=False (default), meaning the injection is at the\n    gcloud argument level, not the shell level. The comma delimiter is\n    parsed by gcloud itself, not by /bin/sh.\n\nStep 5. Confirm no existing advisory covers this file\n```\n    grep -rn \"deploy.py\\|set.env.vars\\|openai_base\" \\\n      src/praisonai/praisonai/deploy.py\n```\n\nVulnerability Description\n\nFile:\n  `src/praisonai/praisonai/deploy.py`\n\nVulnerable line:\n```\n  150: \u0027--set-env-vars\u0027, f\u0027OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}\u0027\n```\n\nThe three values openai_model, openai_key, and openai_base originate\nfrom environment variables or user-provided configuration and are\ninterpolated directly into a single f-string without validation.\n\nThe subprocess call uses a Python list without shell=True. This means\nthere is no shell injection. The subprocess module passes the f-string\nas one complete argument to gcloud. gcloud then applies its own internal\nparsing to the value of --set-env-vars using a comma as the delimiter.\nThis parsing is entirely outside Python\u0027s control.\n\nIf any of the three values contains a comma, gcloud splits on that comma\nand creates an additional KEY=VALUE environment variable from the text\nfollowing it. There is no error or warning from gcloud when this occurs.\n\nThe three values are attacker-controllable in any scenario where\nenvironment variables can be set before the deploy command runs. This\nincludes compromised dotenv files, poisoned CI pipeline secrets, and\nlocal developer machines where an attacker has shell access.\n\n\nProof of Concept\n```\n attacker-controlled openai_base value:\n\n    export OPENAI_API_KEY=\"sk-legitimate-key\"\n    export OPENAI_MODEL_NAME=\"gpt-4\"\n    export OPENAI_API_BASE=\"https://api.openai.com/v1,INJECTED=attacker_value\"\n```\n\nRun the deploy command. The string constructed at line 150 becomes:\n```\n    OPENAI_MODEL_NAME=gpt-4,OPENAI_API_KEY=sk-legitimate-key,OPENAI_API_BASE=https://api.openai.com/v1,INJECTED=attacker_value\n```\ngcloud parses this as four key-value pairs and creates all four as\nenvironment variables in the Cloud Run service. INJECTED=attacker_value\nis a real environment variable available to every request the service\nhandles.\n\nVerify the injection after deployment:\n```\n    gcloud run services describe praisonai-service \\\n      --region us-central1 \\\n      --format \"value(spec.template.spec.containers[0].env)\"\n```\nThe output includes INJECTED alongside the three legitimate variables.\n\nAPI key override:\n\n  `  export OPENAI_API_KEY=\"sk-real,OPENAI_API_KEY=sk-attacker\"`\n\nThe constructed string contains OPENAI_API_KEY twice. In gcloud versions\nwhere the last-defined value takes precedence, the deployed service uses\nsk-attacker for all LLM API calls. All agent traffic routes through the\nattacker-controlled API account.\n\n\n**Impact**\n\nAn attacker who can influence any of the three environment variables\nbefore deploy.py runs can inject arbitrary environment variables into\nthe deployed Cloud Run production service without triggering any error.\n\nInjection scenarios include a malicious git hook that modifies a dotenv\nfile before deployment, a compromised CI pipeline secret, or any local\naccess that allows setting environment variables in the deploy shell\nsession.\n\nConsequences include overriding the API key used by the production\nservice, injecting proxy settings that redirect all outbound LLM traffic,\nsetting debug or verbose flags that write sensitive data to Cloud Run\nlogs, and overriding any security-relevant variable the service reads\nfrom its environment.\n\nThe API key override scenario is the highest-impact case. All production\nLLM calls made by the deployed service are billed to and logged by the\nattacker\u0027s API account, giving the attacker full visibility into every\nagent prompt and response processed in production.\n\n\n**Recommended Fix**\n\nPass each variable as a separate --update-env-vars flag so each value\nis an isolated argument and gcloud never performs comma-based parsing\nacross multiple values:\n\n    Before:\n      [\u0027gcloud\u0027, \u0027run\u0027, \u0027deploy\u0027, \u0027praisonai-service\u0027,\n       \u0027--set-env-vars\u0027,\n       f\u0027OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}\u0027]\n\n    After:\n      [\u0027gcloud\u0027, \u0027run\u0027, \u0027deploy\u0027, \u0027praisonai-service\u0027,\n       \u0027--update-env-vars\u0027, f\u0027OPENAI_MODEL_NAME={openai_model}\u0027,\n       \u0027--update-env-vars\u0027, f\u0027OPENAI_API_KEY={openai_key}\u0027,\n       \u0027--update-env-vars\u0027, f\u0027OPENAI_API_BASE={openai_base}\u0027]\n\nEach --update-env-vars element is a separate string in the subprocess\nlist. The subprocess module passes each as a distinct argument to\ngcloud. gcloud receives three separate single-variable assignments and\nperforms no cross-argument comma parsing.\n\nAdd pre-flight validation as a secondary control:\n\n    for label, value in [\n        (\"OPENAI_MODEL_NAME\", openai_model),\n        (\"OPENAI_API_KEY\", openai_key),\n        (\"OPENAI_API_BASE\", openai_base),\n    ]:\n        if \",\" in value:\n            raise ValueError(\n                f\"{label} contains a comma and would corrupt \"\n                f\"--set-env-vars: {value!r}\"\n            )\n\n\nReferences\n\nCWE-88 Improper Neutralization of Argument Delimiters in a Command\ngcloud run deploy documentation for --set-env-vars KEY=VALUE comma\ndelimiter specification",
  "id": "GHSA-fvxx-ggmx-3cjg",
  "modified": "2026-04-10T19:22:37Z",
  "published": "2026-04-10T19:22:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40113"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars"
}

GHSA-FWF6-J56G-M97C

Vulnerability from github – Published: 2026-05-08 18:35 – Updated: 2026-05-08 18:35
VLAI
Summary
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
Details

Impact

Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation.

When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, shell.openExternal executes it using the operating system's default protocol handler.

This can be abused to: - Trigger dangerous protocol handlers (ms-msdt:, search-ms:) for code execution - Open local files or network shares (file://, UNC paths) to leak NTLM hashes or exfiltrate data - Launch any installed application associated with a custom URI scheme

An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link.

Patches

As of electerm v3.7.9, no official patch has been released. Users should monitor the project’s GitHub releases and security page for an update addressing this issue.

Workarounds

Until a patch is available: - Do not click on any links displayed in terminal sessions connected to untrusted servers. - If possible, disable hyperlink rendering in electerm's terminal settings. - Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts. - Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electerm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T18:35:17Z",
    "nvd_published_at": "2026-05-08T04:16:23Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nElecterm\u0027s terminal hyperlink handler passes any URL clicked in the terminal directly to `shell.openExternal` without any protocol validation.\n\nWhen a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, `shell.openExternal` executes it using the operating system\u0027s default protocol handler.\n\nThis can be abused to:\n- Trigger dangerous protocol handlers (`ms-msdt:`, `search-ms:`) for code execution\n- Open local files or network shares (`file://`, UNC paths) to leak NTLM hashes or exfiltrate data\n- Launch any installed application associated with a custom URI scheme\n\nAn attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim\u0027s machine, requiring only that the victim clicks a displayed link.\n\n### Patches\n\nAs of electerm v3.7.9, no official patch has been released. Users should monitor the project\u2019s [GitHub releases](https://github.com/electerm/electerm/releases) and [security page](https://github.com/electerm/electerm/security) for an update addressing this issue.\n\n### Workarounds\n\nUntil a patch is available:\n- Do not click on any links displayed in terminal sessions connected to untrusted servers.\n- If possible, disable hyperlink rendering in electerm\u0027s terminal settings.\n- Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts.\n- Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers.\n\n### Resources\n\n- [electerm GitHub Repository](https://github.com/electerm/electerm)\n- [electerm Security Policy](https://github.com/electerm/electerm/security)\n- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).",
  "id": "GHSA-fwf6-j56g-m97c",
  "modified": "2026-05-08T18:35:17Z",
  "published": "2026-05-08T18:35:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43941"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electerm/electerm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click"
}

GHSA-FXQ3-4VFX-993F

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version ’05.65.00.BD’ and earlier, GT1450-QMBDE CoreOS version ’05.65.00.BD’ and earlier, GT1450-QLBDE CoreOS version ’05.65.00.BD’ and earlier, GT1455HS-QTBDE CoreOS version ’05.65.00.BD’ and earlier, and GT1450HS-QMBDE CoreOS version ’05.65.00.BD’ and earlier) allows unauthenticated attackers on adjacent network to stop the network functions of the products via a specially crafted packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Improper neutralization of argument delimiters in a command (\u0027Argument Injection\u0027) vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier) allows unauthenticated attackers on adjacent network to stop the network functions of the products via a specially crafted packet.",
  "id": "GHSA-fxq3-4vfx-993f",
  "modified": "2022-05-24T22:28:38Z",
  "published": "2022-05-24T22:28:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5648"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU99562395/index.html"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G397-V4W5-4M79

Vulnerability from github – Published: 2022-04-02 00:00 – Updated: 2022-04-04 21:57
VLAI
Summary
Command injection in cocoapods-downloader
Details

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cocoapods-downloader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-04T21:57:37Z",
    "nvd_published_at": "2022-04-01T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.",
  "id": "GHSA-g397-v4w5-4m79",
  "modified": "2022-04-04T21:57:37Z",
  "published": "2022-04-02T00:00:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21223"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CocoaPods/cocoapods-downloader/pull/127"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CocoaPods/cocoapods-downloader"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cocoapods-downloader/CVE-2022-21223.yml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Command injection in cocoapods-downloader"
}

Mitigation
Implementation

Strategy: Parameterization

Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.

Mitigation
Architecture and Design

Strategy: Input Validation

Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Mitigation
Implementation

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

CAPEC-137: Parameter Injection

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.

CAPEC-174: Flash Parameter Injection

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-460: HTTP Parameter Pollution (HPP)

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

CAPEC-88: OS Command Injection

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.