CVE-2026-2130: Array Join Command Injection
Detected construction of a shell command string using array `.join(' ')` prior to execution. This bypasses shell argument boundaries and can lead to command injection if unescaped inputs are present. Pass arguments as an explicit array to an execution API like `execFile` or `spawn` instead of squashing them into a string.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2026-2130-array-join-command-injection --engine opengrepDescription
Detected construction of a shell command string using array `.join(' ')` prior to execution. This bypasses shell argument boundaries and can lead to command injection if unescaped inputs are present. Pass arguments as an explicit array to an execution API like `execFile` or `spawn` instead of squashing them into a string.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0