CWE•Base•Draft•20 recent CVEs
CWE-88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Description
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
[object Object]
Common consequences
- Confidentiality,Integrity,Availability,Other→Execute Unauthorized Code or Commands,Alter Execution Logic,Read Application Data,Modify Application DataAn attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior.
Potential mitigations
- ImplementationWhere possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or ex
- Architecture and DesignUnderstand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
- Implementation[object Object]
- ImplementationDirectly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.
- Implementation[object Object]
- ImplementationWhen exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
- ImplementationWhen your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.
- TestingUse dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Related CWEs
CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')
Recent CVEs classified under this CWE
CVE-2026-113327.82026-06-05CVE-2026-410138.12026-06-01CVE-2026-493737.12026-05-29CVE-2026-481167.52026-05-28CVE-2026-447128.22026-05-27CVE-2026-444509.92026-05-26CVE-2026-444499.12026-05-26CVE-2026-35158.52026-05-24CVE-2026-471148.82026-05-21CVE-2026-87734.72026-05-18CVE-2026-464833.62026-05-15CVE-2026-451589.12026-05-13CVE-2026-441939.12026-05-13CVE-2026-422668.82026-05-13CVE-2026-312309.82026-05-12CVE-2026-256904.32026-05-12CVE-2025-409486.82026-05-12CVE-2026-438938.22026-05-11CVE-2026-451816.52026-05-09CVE-2026-426019.82026-05-09