CVE-2026-11408: Nodejs Class Method Command Injection
OS Command Injection detected. A parameter from a class method is flowing into a command execution sink (`exec` or `execSync`). This allows attackers to execute arbitrary operating system commands. To fix this, replace `exec` and `execSync` with `spawn` or `spawnSync` and pass arguments as an array rather than interpolating user inputs into a single string.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2026-11408-nodejs-class-method-command-injection --engine opengrepDescription
OS Command Injection detected. A parameter from a class method is flowing into a command execution sink (`exec` or `execSync`). This allows attackers to execute arbitrary operating system commands. To fix this, replace `exec` and `execSync` with `spawn` or `spawnSync` and pass arguments as an array rather than interpolating user inputs into a single string.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0