CWE-88: Argument Injection — known CVE vulnerabilities
CVEs classified under CWE-88 (Argument Injection), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-57572 — CVSS 10.0 (critical): Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied…
CVE-2026-40281 — CVSS 10.0 (critical): Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata…
CVE-2023-6269 — CVSS 10.0 (critical): An argument injection vulnerability has been identified in the administrative web interface of the Atos Unify OpenScape products "Session…
CVE-2007-0882 — CVSS 10.0 (critical): Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client…
CVE-2004-0480 — CVSS 10.0 (critical): Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that…
CVE-2026-47365 — CVSS 9.9 (critical): Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass…
CVE-2026-44450 — CVSS 9.9 (critical): Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an…
CVE-2024-47553 — CVSS 9.9 (critical): A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate…
CVE-2024-39930 — CVSS 9.9 (critical): The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution…
CVE-2018-3856 — CVSS 9.9 (critical): An exploitable vulnerability exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub STH-ETH-250 - Firmware version…
CVE-2026-31230 — CVSS 9.8 (critical): The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component…
CVE-2026-42601 — CVSS 9.8 (critical): ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in…
CVE-2025-70327 — CVSS 9.8 (critical): TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the…
CVE-2026-22583 — CVSS 9.8 (critical): Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement…
CVE-2026-22582 — CVSS 9.8 (critical): Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement…
CVE-2025-52480 — CVSS 9.8 (critical): Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to…
CVE-2024-47516 — CVSS 9.8 (critical): A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution…
CVE-2025-21613 — CVSS 9.8 (critical): go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git…
CVE-2024-35307 — CVSS 9.8 (critical): Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary…
CVE-2024-3817 — CVSS 9.8 (critical): HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does…
CVE-2024-23731 — CVSS 9.8 (critical): The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function…
CVE-2023-33378 — CVSS 9.8 (critical): Connected IO v2.1.0 and prior has an argument injection vulnerability in its AT command message in its communication protocol, enabling…
CVE-2023-33376 — CVSS 9.8 (critical): Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol…
CVE-2022-45062 — CVSS 9.8 (critical): In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.
CVE-2022-42968 — CVSS 9.8 (critical): Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
CVE-2022-24437 — CVSS 9.8 (critical): The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is…
CVE-2022-23221 — CVSS 9.8 (critical): H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the…
CVE-2021-37040 — CVSS 9.8 (critical): There is a Parameter injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause privilege…
CVE-2021-33564 — CVSS 9.8 (critical): An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files…
CVE-2021-24030 — CVSS 9.8 (critical): The fbgames protocol handler registered as part of Facebook Gameroom does not properly quote arguments passed to the executable. That…
CVE-2020-21224 — CVSS 9.8 (critical): A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to…
CVE-2021-26937 — CVSS 9.8 (critical): encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or…
CVE-2021-3401 — CVSS 9.8 (critical): Bitcoin Core before 0.19.0 might allow remote attackers to execute arbitrary code when another application unsafely passes the…
CVE-2020-5648 — CVSS 9.8 (critical): Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the…
CVE-2020-15692 — CVSS 9.8 (critical): In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file…
CVE-2020-5599 — CVSS 9.8 (critical): TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model…
CVE-2019-12148 — CVSS 9.8 (critical): The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection…
CVE-2019-12147 — CVSS 9.8 (critical): The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the…
CVE-2019-10746 — CVSS 9.8 (critical): mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into…
CVE-2019-9794 — CVSS 9.8 (critical): A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell…
CVE-2019-3463 — CVSS 9.8 (critical): Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict…
CVE-2018-17456 — CVSS 9.8 (critical): Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows…
CVE-2018-13385 — CVSS 9.8 (critical): There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission…
CVE-2018-10992 — CVSS 9.8 (critical): lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment…