CWE-78

heroku-addonpool through 0.1.15 is vulnerable to Command Injection.

compass-compile through 0.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via tha options argument.

adb-driver through 0.1.8 is vulnerable to Command Injection.It allows execution of arbitrary commands via the command function.

pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.

All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.

curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input.