CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

359 vulnerabilities with CWE-88
CVE-2026-43943 HIGH
electerm: RCE via malicious SSH server filename in openFileWithEditor
CVSS 7.8
CVE-2026-43941 CRITICAL
Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
CVSS 9.6
CVE-2026-42284 HIGH
GitPython: Unsafe option check validates multi_options before shlex.split transforms it
CVSS 8.1
CVE-2026-40281 CRITICAL
Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values
CVSS 10.0
CVE-2026-7865 HIGH
Hidden Console Command
CVE-2026-7725 MEDIUM
PrefectHQ prefect GitRepository Pull storage.py argument injection
CVSS 6.3
CVE-2026-40938 HIGH
Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
CVSS 7.5
CVE-2026-6437 MEDIUM
AWS EFS CSI Driver Mount Option Injection
CVSS 6.5
CVE-2026-35153 MEDIUM
Dell PowerProtect Data Domain 7.7.1.0-8.7.0.0 - Command Injection
CVSS 6.7
CVE-2026-4145 HIGH
Lenovo Software Fix <7.5.5.19 - Privilege Escalation
CVSS 7.8
CVE-2026-39884 HIGH
MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
CVSS 8.3
CVE-2026-35033 CRITICAL
Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection
CVSS 9.1
CVE-2026-2449 CRITICAL
upKeeper Instant Privilege Access <=1.5.0 - Command Injection
CVE-2026-40113 HIGH
PraisonAI <4.5.128 Cloud Run Deployment - Argument Injection
CVSS 8.4
CVE-2026-35585 HIGH
File Browser 2.0.0-2.63.1 Hook Runner - Command Injection
CVSS 7.2
CVE-2026-34769 HIGH
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
CVSS 7.7
CVE-2026-35538 LOW
Roundcube Webmail < 1.5.14, 1.6.0-1.6.14, 1.7-beta-1.7-rc5 - IMAP Injection via Search Command Arguments
CVSS 3.1
CVE-2026-0634 HIGH
Code Execution in AssistFeedbackService on TECNO Pova7 Pro 5G
CVSS 7.8
CVE-2026-29954 HIGH
KubePlus 4.1.4 - chartURL Server-Side Request Forgery and Header Injection
CVSS 7.6
CVE-2026-22738 CRITICAL
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
CVSS 9.8
CVE-2026-23924 MEDIUM
Agent 2 Docker plugin arbitrary file read via Docker API injection
CVE-2026-2298 CRITICAL
Salesforce Marketing Cloud Engagement - Command Injection
CVSS 9.4
CVE-2026-4438 MEDIUM
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames
CVSS 5.4
CVE-2026-29608 MEDIUM
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting
CVSS 6.7
CVE-2026-22168 MEDIUM
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run
CVSS 6.5
Details
Vulnerabilities 359
Links
MITRE CWE Entry Search this CWE With Exploits