diff --git a/flask_webgoat/actions.py b/flask_webgoat/actions.py
index f75e57eb..8820d7b2 100644
--- a/flask_webgoat/actions.py
+++ b/flask_webgoat/actions.py
@@ -40,16 +40,22 @@ def log_entry():
 @bp.route("/grep_processes")
 def grep_processes():
     name = request.args.get("name")
-    # vulnerability: Remote Code Execution
+    # Fixed: avoid shell=True to prevent command injection
     res = subprocess.run(
-        ["ps aux | grep " + name + " | awk '{print $11}'"],
-        shell=True,
+        ["ps", "aux"],
         capture_output=True,
     )
     if res.stdout is None:
         return jsonify({"error": "no stdout returned"})
     out = res.stdout.decode("utf-8")
-    names = out.split("\n")
+    lines = out.split("\n")
+    # Filter lines containing the name and extract the 11th field (command)
+    names = []
+    for line in lines:
+        if name and name in line:
+            parts = line.split()
+            if len(parts) >= 11:
+                names.append(parts[10])  # 0-indexed, so field 11 is index 10
     return jsonify({"success": True, "names": names})