CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Monthly
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds database-configuration privileges to exfiltrate files from the Metabase server's host filesystem by injecting unsafe JDBC parameters into a MySQL or MariaDB connection. The malicious driver options coerce the JDBC client to read local host files and surface their contents through query results or connection-validation error messages. No public exploit identified at time of analysis; the flaw affects self-hosted and embedded deployments of this open-source BI platform.
Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.
Argument injection in bosh-cli versions before v7.10.4 lets a compromised or malicious BOSH Director inject arbitrary OpenSSH command-line options into the ssh process that the CLI spawns locally, achieving code execution on the operator's own workstation. It triggers during non-interactive SSH paths such as bosh ssh -c, bosh logs -f, and similar flows where the CLI builds an ssh command from Director-supplied data. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 7.7 (High).
Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbitrary commands as the container runtime user. The server passes request-supplied browser_config.extra_args directly into Chromium's launch arguments, enabling argument injection (CWE-88) of a malicious child-process launcher combined with --no-zygote. Because the Docker API is unauthenticated by default and CVSS is scored 10.0, a single crafted HTTP request achieves full container compromise; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the software-center application for the Turkish Pardus Linux distribution) affects all versions up to and including 1.0.4. A low-privileged local user can smuggle attacker-controlled argument delimiters into a command the application invokes with elevated privileges, yielding full compromise of the host (confidentiality, integrity, and availability all high) with no user interaction. No public exploit has been identified at time of analysis, and the issue is not on CISA KEV; it is fixed in version 1.0.5.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.
Arbitrary command execution in repomix (npm package, versions < 1.14.1) arises from argument injection in the `--remote-branch` CLI option, whose value is passed unsanitized into `git fetch` and `git checkout` subprocesses within `src/core/git/gitCommand.ts`. Because the branch value is not prefixed with a `--` positional delimiter and skips the `dangerousParams` blocklist that `validateGitUrl()` applies only to the URL, an attacker can inject options such as `--upload-pack` and, combined with an SSH or `file://` remote, execute an arbitrary payload binary with the invoking user's privileges. Publicly available exploit code exists, no active exploitation is confirmed (not in CISA KEV), and the flaw is fixed in v1.14.1.
Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during `pnpm install`. Because pnpm passes the lockfile-controlled `resolution.commit` to `git fetch`/`git checkout` without a `--` separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as `--upload-pack=<command>`, which Git executes for SSH and local (file://) transports. Publicly available exploit code exists (POC), but there is no public exploit identified as actively exploited; EPSS is low (0.17%, 7th percentile), consistent with a developer-targeted supply-chain vector rather than mass internet scanning.
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds database-configuration privileges to exfiltrate files from the Metabase server's host filesystem by injecting unsafe JDBC parameters into a MySQL or MariaDB connection. The malicious driver options coerce the JDBC client to read local host files and surface their contents through query results or connection-validation error messages. No public exploit identified at time of analysis; the flaw affects self-hosted and embedded deployments of this open-source BI platform.
Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.
Argument injection in bosh-cli versions before v7.10.4 lets a compromised or malicious BOSH Director inject arbitrary OpenSSH command-line options into the ssh process that the CLI spawns locally, achieving code execution on the operator's own workstation. It triggers during non-interactive SSH paths such as bosh ssh -c, bosh logs -f, and similar flows where the CLI builds an ssh command from Director-supplied data. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 7.7 (High).
Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbitrary commands as the container runtime user. The server passes request-supplied browser_config.extra_args directly into Chromium's launch arguments, enabling argument injection (CWE-88) of a malicious child-process launcher combined with --no-zygote. Because the Docker API is unauthenticated by default and CVSS is scored 10.0, a single crafted HTTP request achieves full container compromise; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the software-center application for the Turkish Pardus Linux distribution) affects all versions up to and including 1.0.4. A low-privileged local user can smuggle attacker-controlled argument delimiters into a command the application invokes with elevated privileges, yielding full compromise of the host (confidentiality, integrity, and availability all high) with no user interaction. No public exploit has been identified at time of analysis, and the issue is not on CISA KEV; it is fixed in version 1.0.5.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.
Arbitrary command execution in repomix (npm package, versions < 1.14.1) arises from argument injection in the `--remote-branch` CLI option, whose value is passed unsanitized into `git fetch` and `git checkout` subprocesses within `src/core/git/gitCommand.ts`. Because the branch value is not prefixed with a `--` positional delimiter and skips the `dangerousParams` blocklist that `validateGitUrl()` applies only to the URL, an attacker can inject options such as `--upload-pack` and, combined with an SSH or `file://` remote, execute an arbitrary payload binary with the invoking user's privileges. Publicly available exploit code exists, no active exploitation is confirmed (not in CISA KEV), and the flaw is fixed in v1.14.1.
Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.
Arbitrary command execution in pnpm before 10.34.0 and 11.4.0 allows a malicious lockfile to run code on a developer's machine during `pnpm install`. Because pnpm passes the lockfile-controlled `resolution.commit` to `git fetch`/`git checkout` without a `--` separator or 40-hex-character validation, an attacker can substitute the expected commit hash with a Git option such as `--upload-pack=<command>`, which Git executes for SSH and local (file://) transports. Publicly available exploit code exists (POC), but there is no public exploit identified as actively exploited; EPSS is low (0.17%, 7th percentile), consistent with a developer-targeted supply-chain vector rather than mass internet scanning.