diff --git a/0011-fix-command-injection-vulnerabilities.patch b/0011-fix-command-injection-vulnerabilities.patch
new file mode 100644
index 0000000000000000000000000000000000000000..637995e56ad4c8fb4727346e010317bdd83360ed
--- /dev/null
+++ b/0011-fix-command-injection-vulnerabilities.patch
@@ -0,0 +1,27 @@
+From 1b2b79f2f3027be1a6d9280b5c091f3a18c5be18 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Thu, 7 Mar 2024 09:19:00 +0800
+Subject: [PATCH 1/1] fix command injection vulnerabilities
+
+---
+ zeus/conf/constant.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/zeus/conf/constant.py b/zeus/conf/constant.py
+index 1370d6e..167d6c0 100644
+--- a/zeus/conf/constant.py
++++ b/zeus/conf/constant.py
+@@ -22,8 +22,8 @@ from vulcanus.conf.constant import BASE_CONFIG_PATH
+ MANAGER_CONFIG_PATH = os.path.join(BASE_CONFIG_PATH, 'zeus.ini')
+ 
+ # ceres
+-CERES_PLUGIN_START = "aops-ceres plugin --start %s"
+-CERES_PLUGIN_STOP = "aops-ceres plugin --stop %s"
++CERES_PLUGIN_START = "aops-ceres plugin --start '%s'"
++CERES_PLUGIN_STOP = "aops-ceres plugin --stop '%s'"
+ CERES_COLLECT_ITEMS_CHANGE = "aops-ceres plugin --change-collect-items '%s'"
+ CERES_PLUGIN_INFO = "aops-ceres plugin --info"
+ CERES_APPLICATION_INFO = "aops-ceres collect --application"
+-- 
+2.33.0
+
diff --git a/aops-zeus.spec b/aops-zeus.spec
index 404acbc1ecfd40f781eaa59700397c08bfcd527f..3f9f5ebcb5674af226722540045b17739f4d8506 100644
--- a/aops-zeus.spec
+++ b/aops-zeus.spec
@@ -1,6 +1,6 @@
 Name:		aops-zeus
 Version:	v1.4.0
-Release:	6
+Release:	7
 Summary:	A host and user manager service which is the foundation of aops.
 License:	MulanPSL2
 URL:		https://gitee.com/openeuler/%{name}
@@ -15,6 +15,7 @@ Patch0007:      0007-update-verification-method-for-host-ip-field.patch
 Patch0008:      0008-check-host-status-when-query-host-detail.patch
 Patch0009:      0009-fix-error-log-when-query-host-status.patch
 Patch0010:      0010-update-the-exception-catching-type-of-the-function.patch
+Patch0011:      0011-fix-command-injection-vulnerabilities.patch
 
 
 BuildRequires:  python3-setuptools
@@ -55,6 +56,9 @@ cp -r database %{buildroot}/opt/aops/
 
 
 %changelog
+* Thu Mar 07 2024 wenxin<wenxin32@foxmail.com> - v1.4.0-7
+- fix command injection vulnerabilities
+
 * Wed Dec 27 2023 wenxin<wenxin32@foxmail.com> - v1.4.0-6
 - update the exception catching type of the function