Mascia

**Name of the Vulnerable Software and Affected Versions** LLama-Index CLI version v0.12.20 **Description** The LLama-Index CLI contains an OS command injection issue due to the improper handling of the `--files` argument, which is directly passed into `os.system`. This allows an attacker who controls the content of this argument to inject and execute arbitrary shell commands. The issue can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename, potentially leading to arbitrary code execution on the affected system. **Recommendations** For version v0.12.20, consider disabling the `--files` argument until a patch is available to prevent the injection of arbitrary shell commands. Restrict access to the LLama-Index CLI to minimize the risk of exploitation, especially in scenarios where user-controlled input may be passed to the CLI.