diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
index 82b39798..f4d24cbf 100644
--- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
+++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
@@ -7,7 +7,7 @@ public final class DangerousShellChars {
     private DangerousShellChars() {}
     private static final List<String> DANGEROUS_CHARS = Arrays.asList(
             "#", "!", "\"", "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
-            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~", "\r", "\f"
     );
 
     public static boolean containDangerousCharacter(String userInput) {
diff --git a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
index 7b5ac880..c2bc4d66 100644
--- a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
+++ b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
@@ -439,6 +439,7 @@ void testItFlagsCommaInLoop() {
     void testCarriageReturnAsSeparator() {
         // \r (carriage return) as separator before dangerous command
         assertIsShellInjection("ls\rrm", "rm");
+        assertIsShellInjection("sleep\r5", "sleep\r5");
         assertIsShellInjection("echo test\rrm -rf /", "rm");
     }
 
@@ -446,6 +447,16 @@ void testCarriageReturnAsSeparator() {
     void testFormFeedAsSeparator() {
         // \f (form feed) as separator before dangerous command
         assertIsShellInjection("ls\frm", "rm");
+        assertIsShellInjection("sleep\f5", "sleep\f5");
         assertIsShellInjection("echo test\frm -rf /", "rm");
     }
+
+    @Test
+    void testCommandExactlyMatchesUserInputWithSeparators() {
+        // When command equals userInput and contains \r or \f separators
+        assertIsShellInjection("ls\rrm", "ls\rrm");
+        assertIsShellInjection("ls\frm", "ls\frm");
+        assertIsShellInjection("echo\rcat /etc/passwd", "echo\rcat /etc/passwd");
+        assertIsShellInjection("echo\fcat /etc/passwd", "echo\fcat /etc/passwd");
+    }
 }