CWE-88— Argument Injection or Modification
340 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-88page 4 of 7
- CVE-2022-24433HIGHCVSS 8.1EG 8.12022-03-11
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By i…
- CVE-2022-24437CRITICALCVSS 9.8EG 9.82022-05-01
The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). H…
- CVE-2022-24440HIGHCVSS 8.1EG 8.12022-04-01
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch …
- CVE-2022-24828HIGHCVSS 8.3EG 8.32022-04-13
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. T…
- CVE-2022-24953MEDIUMCVSS 5.3EG 5.32022-02-17
The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.
- CVE-2022-25648HIGHCVSS 8.1EG 8.12022-04-19
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additiona…
- CVE-2022-25766HIGHCVSS 8.8EG 8.82022-03-21
The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By in…
- CVE-2022-25865HIGHCVSS 8.1EG 8.12022-05-13
The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch para…
- CVE-2022-25866HIGHCVSS 8.1EG 8.12022-04-25
The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-r…
- CVE-2022-25900HIGHCVSS 8.1EG 8.12022-07-01
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.
- CVE-2022-25973HIGHCVSS 7.8EG 7.82022-08-10
All versions of package mc-kill-port are vulnerable to Arbitrary Command Execution via the kill function, due to missing sanitization of the port argument.
- CVE-2022-26532HIGHCVSS 7.8EG 7.82022-05-24
A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN s…
- CVE-2022-28391HIGHCVSS 8.8EG 9.82022-04-03
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
- CVE-2022-29184HIGHCVSS 8.8EG 8.82022-05-20
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code exe…
- CVE-2022-29215HIGHCVSS 7.5EG 7.52022-05-21
RegionProtect is a plugin that allows users to manage certain events in certain regions of the world. Versions prior to 1.1.0 contain a YAML injection vulnerability that can cause an instant server crash if the passed arguments are not mat…
- CVE-2022-29971HIGHCVSS 7.8EG 7.82022-05-09
An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Athena ODBC Driver 1.1.1 through 1.1.x before 1.1.17 may allow a local user to execute arbitrary code.
- CVE-2022-29972HIGHCVSS 7.8EG 7.82022-05-09
An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbi…
- CVE-2022-30239HIGHCVSS 7.8EG 7.82022-05-09
An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Athena JDBC Driver 2.0.25 through 2.0.28 may allow a local user to execute code. NOTE: this is different from CVE-2022-29971.
- CVE-2022-30240HIGHCVSS 7.8EG 7.82022-05-09
An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift JDBC Driver 1.2.40 through 1.2.55 may allow a local user to execute code. NOTE: this is different from CVE-2022-29972.
- CVE-2022-30284CRITICALCVSS 9.0EG 9.02022-05-04
In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). NOTE: the vendor believes it would be unrealistic for an application to call Nma…
- CVE-2022-31084HIGHCVSS 8.1EG 8.12022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker c…
- CVE-2022-31246MEDIUMCVSS 5.5EG 5.52022-06-17
paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial o…
- CVE-2022-3140MEDIUMCVSS 6.3EG 6.32022-10-11
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links…
- CVE-2022-31749MEDIUMCVSS 6.5EG 6.52025-01-28
An argument injection vulnerability in the diagnose and import pac commands in WatchGuard Fireware OS before 12.8.1, 12.1.4, and 12.5.10 allows an authenticated remote attacker with unprivileged credentials to upload or read files to limit…
- CVE-2022-36069HIGHCVSS 7.3EG 7.32022-09-07
Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repos…
- CVE-2022-36322MEDIUMCVSS 5.4EG 8.82022-07-20
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible
- CVE-2022-36804HIGHCVSS 8.8EG 9.0⚠ KEV2022-08-25
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8…
- CVE-2022-37005HIGHCVSS 7.5EG 7.52022-08-10
The Settings application has an argument injection vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-37027HIGHCVSS 7.2EG 7.22022-09-21
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. Fo…
- CVE-2022-37705MEDIUMCVSS 6.7EG 7.82023-04-16
A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are contro…
- CVE-2022-40677HIGHCVSS 7.2EG 8.82023-02-16
A improper neutralization of argument delimiters in a command ('argument injection') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 throu…
- CVE-2022-42968CRITICALCVSS 9.8EG 9.82022-10-16
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
- CVE-2022-44731MEDIUMCVSS 5.4EG 5.42022-12-13
A vulnerability has been identified in SIMATIC WinCC OA V3.15 (All versions < V3.15 P038), SIMATIC WinCC OA V3.16 (All versions < V3.16 P035), SIMATIC WinCC OA V3.17 (All versions < V3.17 P024), SIMATIC WinCC OA V3.18 (All versions < V3.18…
- CVE-2022-45062CRITICALCVSS 9.8EG 9.82022-11-09
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.
- CVE-2022-46883HIGHCVSS 8.8EG 8.82022-12-22
Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough e…
- CVE-2022-47502HIGHCVSS 7.8EG 7.82023-03-24
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such…
- CVE-2022-47926CRITICALCVSS 9.8EG 9.82022-12-22
AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php
- CVE-2022-4864MEDIUMCVSS 5.4EG 5.42022-12-30
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2023-0633HIGHCVSS 7.2EG 7.22023-09-25
In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0.
- CVE-2023-20224HIGHCVSS 7.8EG 7.82023-08-16
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insuf…
- CVE-2023-20260MEDIUMCVSS 6.0EG 6.02024-01-17
A vulnerability in the application CLI of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager could allow an authenticated, local attacker to gain escalated privileges. This vulnerability is due to improper processing…
- CVE-2023-25356HIGHCVSS 8.8EG 8.82023-04-04
CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and wri…
- CVE-2023-26143MEDIUMCVSS 6.5EG 6.52023-09-19
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it p…
- CVE-2023-26310HIGHCVSS 7.4EG 7.42023-08-09
There is a command injection problem in the old version of the mobile phone backup app.
- CVE-2023-26782MEDIUMCVSS 6.5EG 6.52023-04-28
An issue discovered in mccms 2.6.1 allows remote attackers to cause a denial of service via Backend management interface ->System Configuration->Cache Configuration->Cache security characters.
- CVE-2023-29405CRITICALCVSS 9.8EG 9.82023-06-08
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, sp…
- CVE-2023-30577HIGHCVSS 7.8EG 7.82023-07-26
AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.
- CVE-2023-33376CRITICALCVSS 9.8EG 9.82023-08-04
Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
- CVE-2023-33378CRITICALCVSS 9.8EG 9.82023-08-04
Connected IO v2.1.0 and prior has an argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
- CVE-2023-34395HIGHCVSS 7.8EG 7.82023-06-27
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to contro…
Map vulnerabilities like CWE-88 to your infrastructure
EchelonGraph correlates every CVE — across CWE-88 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →