CVE-2026-26029: Node Exec Dynamic Command Injection

Unsafe execution of dynamic commands using `child_process.exec`. Shell metacharacters can be used for command injection. Use `trim`, `spawn` or `execFile` instead to pass arguments safely as an array instead of a concatenated shell string.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0typescript

greprules fetch cve-2026-26029-node-exec-dynamic-command-injection --engine opengrep

Description

Unsafe execution of dynamic commands using `child_process.exec`. Shell metacharacters can be used for command injection. Use `trim`, `spawn` or `execFile` instead to pass arguments safely as an array instead of a concatenated shell string.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 111 downloads
0 direct111 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata