diff --git a/README.md b/README.md
index 21c4dac..ea39499 100644
--- a/README.md
+++ b/README.md
@@ -3,3 +3,4 @@ jh
 cdsav
  kjhbvljhv
 wfewqfd
+acWDSCV
diff --git a/sample-vuln/app.py b/sample-vuln/app.py
new file mode 100644
index 0000000..54729b8
--- /dev/null
+++ b/sample-vuln/app.py
@@ -0,0 +1,21 @@
+
+@app.route("/ping")
+from flask import request
+
+@app.route("/ping")
+def ping():
+    ip = request.args.get("ip", "127.0.0.1")
+    import ipaddress, subprocess
+    try:
+        # PRECOGS_FIX: validate the IP address strictly using ipaddress
+        ip_obj = ipaddress.ip_address(ip)
+    except Exception:
+        return {"error": "invalid ip"}, 400
+
+    # PRECOGS_FIX: call ping without invoking a shell, pass arguments as a list
+    try:
+        subprocess.run(["ping", "-c", "1", str(ip_obj)], check=False)
+    except FileNotFoundError:
+        return {"error": "ping command not available"}, 500
+
+    return {"status": "ok"}
\ No newline at end of file