Home/CWE/Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Weakness

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-88 · Base · Draft

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Extended description

When creating commands using interpolation into a string, developers may assume that only the arguments/options that they specify will be processed. This assumption may be even stronger when the programmer has encoded the command in a way that prevents separate commands from being provided maliciously, e.g. in the case of shell metacharacters. When constructing the command, the developer may use whitespace or other delimiters that are required to separate arguments when the command.

However, if an attacker can provide an untrusted input that contains argument-separating delimiters, then the resulting command will have more arguments than intended by the developer. The attacker may then be able to change the behavior of the command. Depending on the functionality supported by the extraneous arguments, this may have security-relevant consequences.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ChildOfCWE-77 · Improper Neutralization of Special Elements used in a Command ('Command Injection')

Attack Patterns (CAPEC)

5
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-137Parameter Injection
CAPEC-174Flash Parameter Injection
CAPEC-41Using Meta-characters in E-mail Headers to Inject Malicious Payloads
CAPEC-460HTTP Parameter Pollution (HPP)
CAPEC-88OS Command Injection

CVEs With This Weakness

397
A sample of the 397 CVEs tagged with this weakness.
CVECVE-2026-8773
CVECVE-2026-7865
CVECVE-2026-7725
CVECVE-2026-6437
CVECVE-2026-46483
CVECVE-2026-45181
CVECVE-2026-45158
CVECVE-2026-4438
CVECVE-2026-44193
CVECVE-2026-43943
CVECVE-2026-43941
CVECVE-2026-43893

Nuclei Scanner Templates

4
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalInspur Clusterengine V4 SYSshell - Remote Command Execution
criticalInspur ClusterEngine 4.0 - Remote Code Execution
criticalWordPress PHPMailer < 5.2.18 - Remote Code Execution
criticalRuby Dragonfly <1.4.0 - Remote Code Execution
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin