The application passes user-supplied input to system shell commands without proper sanitization, allowing attackers to inject and execute arbitrary operating system commands.
An attacker could execute arbitrary commands on the host operating system, leading to full system compromise, data exfiltration, installation of backdoors, or lateral movement within the network.
Avoid calling OS commands directly from application code. Use language-specific libraries and APIs instead. If OS commands are necessary, use parameterized interfaces, validate input against strict allowlists, and never concatenate user input into command strings.