CWE-786 advisories

OS Command Injection

What it is

User input is passed to a shell, letting an attacker run arbitrary operating-system commands.

How to fix it

Upgrade, then call programs with an argument array (no shell) and validate inputs.

How to avoid it

Avoid the shell; use exec-with-args APIs and strict allow-lists for any command parameters.

Known OS Command Injection vulnerabilities

CVE-2025-54136 — high · Cursor/Cursor AI code editor
SC-PPE-CICDSEC4-2022 — critical · CI/CD/Poisoned Pipeline Execution (PPE) · exploited
CVE-2021-38647 — critical · Cloud · Azure/Azure Open Management Infrastructure (OMI) · exploited
CVE-2021-22205 — critical · Web app/OS Command Injection · exploited
SC-GHA-SCRIPT-INJECTION-2020 — high · CI/CD · GitHub Actions/GitHub Actions workflows
CVE-2014-6271 — critical · Linux/GNU Bash · exploited

Stateward flags OS Command Injection in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.