Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6hxm-nnhg-buex
Vulnerability ID VCID-6hxm-nnhg-buex
Aliases CVE-2022-24288
GHSA-3v7g-4pg3-7r6j
PYSEC-2022-30
Summary In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.89825 https://api.first.org/data/v1/epss?cve=CVE-2022-24288
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24288
https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
https://github.com/apache/airflow
https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-30.yaml
https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
CVE-2022-24288 https://nvd.nist.gov/vuln/detail/CVE-2022-24288
No exploits are available.
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.99587
EPSS Score 0.89825
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:30:01.341530+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/apache-airflow/PYSEC-2022-30.yaml 38.6.0