CVE-2026-48064: Python Shell Command Injection

Format string or concatenation used to construct an OS shell command opens the application to command injection. Provide parameters as a list array instead and disable shell=True.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0python

greprules fetch cve-2026-48064-python-shell-command-injection --engine opengrep

Description

Format string or concatenation used to construct an OS shell command opens the application to command injection. Provide parameters as a list array instead and disable shell=True.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 108 downloads
0 direct108 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Mark useful Report false positive Suggest metadata