CVE-2026-40030: Os Popen Command Injection
The `os.popen()` function executes commands through the shell. Passing dynamically built strings (via concatenation or formatting) can lead to OS command injection if the input contains shell metacharacters. Instead, use `subprocess.run()` with a list of arguments and `shell=False`, or standard library equivalents like `os.listdir()`.
greprules fetch cve-2026-40030-os-popen-command-injection --engine opengrepDescription
The `os.popen()` function executes commands through the shell. Passing dynamically built strings (via concatenation or formatting) can lead to OS command injection if the input contains shell metacharacters. Instead, use `subprocess.run()` with a list of arguments and `shell=False`, or standard library equivalents like `os.listdir()`.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.