Safeguard
Tag

command-injection

Safeguard articles tagged "command-injection" — guides, analysis, and best practices for software supply chain and application security.

23 articles

Vulnerability Management

Root cause: CVE-2022-40764, the Snyk CLI command injection

A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.

Jul 12, 20266 min read
AI Security

Securing MCP Servers for AI Agents

Five CVEs in 2025 alone trace MCP tool compromise back to one root cause: unsanitized strings piped into exec(). Here's how to expose and consume MCP safely.

Jul 9, 20267 min read
Vulnerability Analysis

Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices

CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.

Jul 8, 20266 min read
Vulnerability Analysis

Ivanti Connect Secure CVE-2024-21887 Explained: Command Injection in a Two-Bug Chain

CVE-2024-21887 is a command injection in Ivanti Connect Secure that, chained with the auth bypass CVE-2023-46805, gave attackers unauthenticated RCE. Here is the timeline, root cause, and patched versions.

Jul 8, 20266 min read
Application Security

Command injection in Python: subprocess, os.system, and safe-by-default patterns

os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.

Jul 8, 20266 min read
Application Security

Command injection in Go: os/exec, exec.Command, and how it still goes wrong

Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.

Jul 8, 20266 min read
Vulnerability Analysis

Barracuda ESG CVE-2023-2868 Explained: The Command Injection That Ended in Hardware Replacement

CVE-2023-2868 is a command injection in the Barracuda Email Security Gateway, exploited as a zero-day by UNC4841 for months. Rated CVSS 9.8, it ended with Barracuda advising physical appliance replacement.

Jul 7, 20266 min read
Security Guides

Preventing Command Injection in Python

Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.

Jul 4, 20265 min read
Security Guides

Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing

os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.

Jul 2, 20266 min read
Security Guides

OWASP A03: Injection Explained — A Deep-Dive Guide

Injection ranks #3 in the OWASP Top 10 (2021) and now includes XSS. A deep dive into SQLi, command injection, real CVEs, and how to detect and fix it in 2026.

Jul 2, 20266 min read
Supply Chain Attacks

When the Vulnerability Is the Design: MCP STDIO Command Injection Across 150M Downloads (May 2026)

OX Security documented command injection through the MCP STDIO transport across Python, TypeScript, Java, and Rust SDKs. Anthropic calls the behavior by-design and won't patch upstream. That leaves the fix to thousands of downstream projects.

May 6, 202611 min read
Vulnerability Analysis

Cisco Firepower CVE-2024-20418 Lessons: Network Security Devices as Attack Surface

CVE-2024-20418 was a critical command injection in Cisco Firepower Management Center. The technical details, the exploitation reality, and what it teaches about NSM security.

Apr 8, 20265 min read
command-injection — Safeguard Blog