Command injection is an application flaw in which untrusted input reaches operating-system command execution in ways that let the application lose control over what the host actually runs.
Command injection is an application flaw in which untrusted input reaches operating-system command execution in ways the application did not intend. In plain language, it means the application passes unsafe data into a system command path and loses control over what the host actually ends up doing.
Command injection matters because the impact can be severe when an application can reach the underlying operating system, privileged utilities, local files, or sensitive service accounts. A relatively small input-handling mistake can therefore become a much larger system-level problem.
It also matters because this flaw usually reflects a deeper engineering problem: the application is combining untrusted input with a powerful execution path that should have been tightly constrained or avoided entirely.
Command injection appears in administrative web tools, backend wrappers around system utilities, file-processing services, deployment helpers, and legacy integrations that call shell commands. Teams review it during secure-code review, architecture cleanup, and incident investigation where server-side execution paths are in scope.
It connects to Input Validation, Secure Coding, Least Privilege, Sandboxing, and Command-Line Auditing. Defenders typically focus on avoiding unnecessary command execution, using safer libraries or APIs, and tightly constraining any command path that truly must exist.
A web application calls a system utility to process uploaded files. The intended task is harmless, but the application constructs the command from request data without enough separation between fixed program logic and user-controlled values. The security issue is that the server may end up running behavior well beyond simple file processing because the application treated a powerful command path too casually.
Command injection is not the same as SQL Injection. SQL injection targets database query handling, while command injection affects operating-system-level command execution.
It is also not solved by frontend validation alone because the risk comes from how the server handles input internally. Client-side restrictions may help usability, but they are not a trustworthy enforcement point.
This issue is also not only about malicious input strings. The broader lesson is that applications should avoid mixing external input with powerful execution mechanisms whenever a safer design exists.