CVE-2024-21663: Discord Bot Command Shell Injection Unsanitized
Discord command handler interpolates user-controlled `$ARG` into a shell command string and executes it with `subprocess.*(..., shell=True)` without first calling `CommandInjection.sanitizeInput($ARG)`. Any user able to invoke this command can inject shell metacharacters (`;`, `&&`, `|`, backticks, `$()`) and execute arbitrary OS commands on the bot host (CV
greprules fetch cve-2024-21663-discord-bot-command-shell-injection-unsanitized --engine opengrepDescription
Discord command handler interpolates user-controlled `$ARG` into a shell command string and executes it with `subprocess.*(..., shell=True)` without first calling `CommandInjection.sanitizeInput($ARG)`. Any user able to invoke this command can inject shell metacharacters (`;`, `&&`, `|`, backticks, `$()`) and execute arbitrary OS commands on the bot host (CV
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.