diff --git a/system/Commands/Server/Serve.php b/system/Commands/Server/Serve.php
index 24b592f5b396..caf431abbbd2 100644
--- a/system/Commands/Server/Serve.php
+++ b/system/Commands/Server/Serve.php
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * CodeIgniter
  *
@@ -46,50 +45,100 @@
  *
  * Not testable, as it throws phpunit for a loop :-/
  *
+ * @package CodeIgniter\Commands\Server
+ *
  * @codeCoverageIgnore
  */
 class Serve extends BaseCommand
 {
+	/**
+	 * Minimum PHP version
+	 *
+	 * @var string
+	 */
 	protected $minPHPVersion = '7.2';
 
-	protected $group       = 'CodeIgniter';
-	protected $name        = 'serve';
-	protected $description = 'Launchs the CodeIgniter PHP-Development Server.';
-	protected $usage       = 'serve';
-	protected $arguments   = [];
-	protected $options     = [
+	/**
+	 * Group
+	 *
+	 * @var string
+	 */
+	protected $group = 'CodeIgniter';
+
+	/**
+	 * Name
+	 *
+	 * @var string
+	 */
+	protected $name = 'serve';
+
+	/**
+	 * Description
+	 *
+	 * @var string
+	 */
+	protected $description = 'Launches the CodeIgniter PHP-Development Server.';
+
+	/**
+	 * Usage
+	 *
+	 * @var string
+	 */
+	protected $usage = 'serve';
+
+	/**
+	 * Arguments
+	 *
+	 * @var array
+	 */
+	protected $arguments = [];
+
+	/**
+	 * Options
+	 *
+	 * @var array
+	 */
+	protected $options = [
 		'-php'  => 'The PHP Binary [default: "PHP_BINARY"]',
 		'-host' => 'The HTTP Host [default: "localhost"]',
 		'-port' => 'The HTTP Host Port [default: "8080"]',
 	];
 
+	/**
+	 * Run the server
+	 *
+	 * @param array $params Parameters
+	 *
+	 * @return void
+	 */
 	public function run(array $params)
 	{
 		// Valid PHP Version?
 		if (phpversion() < $this->minPHPVersion)
 		{
-			die("You PHP version must be {$this->minPHPVersion} or higher to run CodeIgniter. Current version: " . phpversion());
+			die('Your PHP version must be ' . $this->minPHPVersion .
+				' or higher to run CodeIgniter. Current version: ' . phpversion());
 		}
 
-		// Collect any user-supplied options and apply them
-		$php  = CLI::getOption('php') ?? PHP_BINARY;
-		$host = CLI::getOption('host') ?? 'localhost';
-		$port = CLI::getOption('port') ?? '8080';
+		// Collect any user-supplied options and apply them.
+		$php  = escapeshellarg(CLI::getOption('php')) ?? PHP_BINARY;
+		$host = escapeshellarg(CLI::getOption('host')) ?? 'localhost';
+		$port = escapeshellarg(CLI::getOption('port')) ?? '8080';
 
-		// Get the party started
-		CLI::write("CodeIgniter development server started on http://{$host}:{$port}", 'green');
+		// Get the party started.
+		CLI::write('CodeIgniter development server started on http://' . $host . ':' . $port, 'green');
 		CLI::write('Press Control-C to stop.');
 
-		// Set the Front Controller path as Document Root
-		$docroot = FCPATH;
+		// Set the Front Controller path as Document Root.
+		$docroot = escapeshellarg(FCPATH);
 
-		// Mimic Apache's mod_rewrite functionality with user settings
-		$rewrite = __DIR__ . '/rewrite.php';
+		// Mimic Apache's mod_rewrite functionality with user settings.
+		$rewrite = escapeshellarg(__DIR__ . '/rewrite.php');
 
 		// Call PHP's built-in webserver, making sure to set our
 		// base path to the public folder, and to use the rewrite file
 		// to ensure our environment is set and it simulates basic mod_rewrite.
-		passthru("{$php} -S {$host}:{$port} -t {$docroot} {$rewrite}");
+		passthru($php . ' -S ' . $host . ':' . $port . ' -t ' . $docroot . ' ' . $rewrite);
 	}
 
 }