diff --git a/0002-fix-command-injection-vulnerabilities.patch b/0002-fix-command-injection-vulnerabilities.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a380b0a6bc99deba155b2e6f8ebbe58173a68441
--- /dev/null
+++ b/0002-fix-command-injection-vulnerabilities.patch
@@ -0,0 +1,27 @@
+From 9eb6d7f16e9dbd3c4041acba478e502b2e32c51e Mon Sep 17 00:00:00 2001
+From: rabbitali <wenxin32@foxmail.com>
+Date: Thu, 7 Mar 2024 15:25:33 +0800
+Subject: [PATCH 1/1] fix command injection vulnerabilities
+
+---
+ zeus/conf/constant.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/zeus/conf/constant.py b/zeus/conf/constant.py
+index ec5462f..e9ff1e6 100644
+--- a/zeus/conf/constant.py
++++ b/zeus/conf/constant.py
+@@ -22,8 +22,8 @@ from vulcanus.conf.constant import BASE_CONFIG_PATH
+ MANAGER_CONFIG_PATH = os.path.join(BASE_CONFIG_PATH, 'zeus.ini')
+ 
+ # ceres
+-CERES_PLUGIN_START = "aops-ceres plugin --start %s"
+-CERES_PLUGIN_STOP = "aops-ceres plugin --stop %s"
++CERES_PLUGIN_START = "aops-ceres plugin --start '%s'"
++CERES_PLUGIN_STOP = "aops-ceres plugin --stop '%s'"
+ CERES_COLLECT_ITEMS_CHANGE = "aops-ceres plugin --change-collect-items '%s'"
+ CERES_PLUGIN_INFO = "aops-ceres plugin --info"
+ CERES_APPLICATION_INFO = "aops-ceres collect --application"
+-- 
+2.33.0
+
diff --git a/aops-zeus.spec b/aops-zeus.spec
index 4c9fef365b0bf02822400c1b97624eb7b89dadc6..5a5cec61a1de1be8321f550bf73c313f2f1fe72d 100644
--- a/aops-zeus.spec
+++ b/aops-zeus.spec
@@ -1,11 +1,12 @@
 Name:		aops-zeus
 Version:	v1.2.1
-Release:	2
+Release:	3
 Summary:	A host and user manager service which is the foundation of aops.
 License:	MulanPSL2
 URL:		https://gitee.com/openeuler/%{name}
 Source0:	%{name}-%{version}.tar.gz
 Patch0001:	0001-update-cve-fix.patch
+Patch0002:	0002-fix-command-injection-vulnerabilities.patch
 
 BuildRequires:  python3-setuptools
 Requires:   aops-vulcanus >= v1.2.0
@@ -42,6 +43,9 @@ A host and user manager service which is the foundation of aops.
 
 
 %changelog
+* Thu Mar 07 2024 wenxin<wenxin32@foxmail.com> - v1.2.1-3
+- fix command injection vulnerabilities
+
 * Fri Jun 02 2023 wenxin<shusheng.wen@outlook.com> - v1.2.1-2
 - update cve fix