Will It Vibe logoWill It Vibe?
INJECT-014Medium severity-8 points

Shell exec function fed a variable (PHP)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

shell_exec/system/passthru/proc_open/popen is called with a $variable in the command, which is a command injection risk when the value is user-controlled.

Why it matters

shell_exec, system, passthru, proc_open, and popen run their argument through a shell, so a $variable in the command lets a crafted value inject extra commands. This is high impact with user-controlled input. It is a heuristic because it cannot confirm the variable is untrusted.

How to fix it

Avoid the shell functions for anything that includes input. Use escapeshellarg on each dynamic argument if a shell call is unavoidable, or use proc_open with an argument array (PHP 7.4+) so arguments are not shell-parsed. Better, use a native PHP API instead of shelling out.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks