CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Monthly
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows authenticated remote attackers to conduct IMAP injection attacks or bypass CSRF protections via unsanitized IMAP SEARCH command arguments. The vulnerability requires user interaction (high complexity) and authenticated access, resulting in limited integrity impact without confidentiality or availability compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
KubePlus 4.1.4 allows server-side request forgery (SSRF) and arbitrary HTTP header injection through improperly validated chartURL fields in ResourceComposition resources. The mutating webhook and kubeconfiggenerator components concatenate user-supplied chartURL values directly into wget command invocations without proper escaping, enabling attackers to inject wget options such as --header to forge HTTP requests or exfiltrate sensitive data. No patch version information is currently available, and exploitation status remains unconfirmed from authoritative sources.
The Zabbix Agent 2 Docker plugin contains an argument injection vulnerability in the 'docker.container_info' parameter handler that fails to properly sanitize user-supplied input before forwarding requests to the Docker daemon. An authenticated attacker who can invoke Agent 2 can exploit this flaw to read arbitrary files from running Docker containers by injecting malicious parameters through the Docker archive API, potentially exposing sensitive application data, credentials, and configuration files. While no CVSS score or EPSS data is currently available, and no indication of active exploitation in the wild has been reported, this represents a direct path to container escape and lateral movement for attackers with agent-level access.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.
OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in the system.run function that allows authenticated operators to execute arbitrary commands on Windows systems by appending malicious arguments after cmd.exe /c while the approval audit log records only the benign command text. An authenticated attacker with operator privileges can exploit this to achieve local command execution on trusted Windows nodes with mismatched or incomplete audit trails, enabling information disclosure and lateral movement while evading detection.
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.
Roundcube Webmail before versions 1.5.14 and 1.6.14 allows authenticated remote attackers to conduct IMAP injection attacks or bypass CSRF protections via unsanitized IMAP SEARCH command arguments. The vulnerability requires user interaction (high complexity) and authenticated access, resulting in limited integrity impact without confidentiality or availability compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Command line injection in Electron via undocumented commandLineSwitches webPreference enables sandbox escape and security control bypass when applications spread untrusted configuration objects into webPreferences. Attackers can inject arbitrary command-line switches to disable renderer process sandboxing or web security protections, achieving local code execution with elevated privileges. CVSS 7.8 (High) with attack complexity HIGH requiring user interaction. No public exploit identified at time of analysis, though technical disclosure is public via GitHub advisory.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
KubePlus 4.1.4 allows server-side request forgery (SSRF) and arbitrary HTTP header injection through improperly validated chartURL fields in ResourceComposition resources. The mutating webhook and kubeconfiggenerator components concatenate user-supplied chartURL values directly into wget command invocations without proper escaping, enabling attackers to inject wget options such as --header to forge HTTP requests or exfiltrate sensitive data. No patch version information is currently available, and exploitation status remains unconfirmed from authoritative sources.
The Zabbix Agent 2 Docker plugin contains an argument injection vulnerability in the 'docker.container_info' parameter handler that fails to properly sanitize user-supplied input before forwarding requests to the Docker daemon. An authenticated attacker who can invoke Agent 2 can exploit this flaw to read arbitrary files from running Docker containers by injecting malicious parameters through the Docker archive API, potentially exposing sensitive application data, credentials, and configuration files. While no CVSS score or EPSS data is currently available, and no indication of active exploitation in the wild has been reported, this represents a direct path to container escape and lateral movement for attackers with agent-level access.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.
OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in the system.run function that allows authenticated operators to execute arbitrary commands on Windows systems by appending malicious arguments after cmd.exe /c while the approval audit log records only the benign command text. An authenticated attacker with operator privileges can exploit this to achieve local command execution on trusted Windows nodes with mismatched or incomplete audit trails, enabling information disclosure and lateral movement while evading detection.