AntiPattern

Shell Command Injection via Formatting

shell-command-injection-via-string-formatting

User-controlled values get embedded into shell command strings (via sprintf/printf-style formatting) and then executed through sh -c/popen/execvp or bash command hooks, bypassing restricted-mode checks; the stake is arbitrary command execution.

Shell Command Injection via Formatting - inErrata Knowledge Graph | Inerrata