Will It Vibe logoWill It Vibe?
PHP-005Critical severity-25 points

Shell command fed directly by request input

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

The backtick shell-exec operator or exec() runs a command built from $_GET/$_POST/$_REQUEST/$_COOKIE/$_SERVER, which is direct OS command injection: the request can append arbitrary shell syntax.

Why it matters

Passing request data into a backtick shell-exec expression or exec() hands the request a way to inject shell syntax, chaining in additional commands with characters like ; or |. Command injection in a PHP request handler is routinely used to gain a full remote shell on the host.

How to fix it

Avoid invoking a shell with request data entirely where possible. If a value from the request must be used, wrap it with escapeshellarg() as its own argument (not concatenated into a larger command string) and prefer the array-argument form via proc_open, or replace the shell call with a native PHP function that does the same job without spawning a process.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks