GrepRules
Sign inPublish rule
Explore/cve-2025-6775-wtforms-shell-command-injection

CVE-2025-6775: Wtforms Shell Command Injection

Unsanitized WTForms `.data` input is appended to a list, joined with spaces, and passed to an execution sink. This allows an attacker to inject shell metacharacters and execute arbitrary shell commands. Pass arguments safely via an array or parameterization mechanism rather than joining strings.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0Python
greprules fetch cve-2025-6775-wtforms-shell-command-injection --engine opengrep

Description

Unsanitized WTForms `.data` input is appended to a list, joined with spaces, and passed to an execution sink. This allows an attacker to inject shell metacharacters and execute arbitrary shell commands. Pass arguments safely via an array or parameterization mechanism rather than joining strings.

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
135 downloads0 direct135 via packs
· 0 stars · Quality score 68How quality works
Included packs
2 packs