CVE-2026-6119: Python Sys Executable Frozen Argument Injection
Spawning a subprocess with `sys.executable` and untrusted arguments can lead to command and argument injection in frozen environments (e.g., Electron, PyInstaller). In such environments, `sys.executable` evaluates to the application bundle rather than the Python interpreter. Attacker-controlled args are then parsed directly by the bundle's CLI router, potent
Pythongreprules fetch cve-2026-6119-python-sys-executable-frozen-argument-injection --engine opengrepDescription
Spawning a subprocess with `sys.executable` and untrusted arguments can lead to command and argument injection in frozen environments (e.g., Electron, PyInstaller). In such environments, `sys.executable` evaluates to the application bundle rather than the Python interpreter. Attacker-controlled args are then parsed directly by the bundle's CLI router, potent
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0