diff --git a/infer/src/base/IssueType.ml b/infer/src/base/IssueType.ml
index 4d18ac827..f193a1907 100644
--- a/infer/src/base/IssueType.ml
+++ b/infer/src/base/IssueType.ml
@@ -351,8 +351,6 @@ let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK"
 
 let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION"
 
-let untrusted_url = from_string "UNTRUSTED_URL"
-
 let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK"
 
 let untrusted_variable_length_array = from_string "UNTRUSTED_VARIABLE_LENGTH_ARRAY"
diff --git a/infer/src/base/IssueType.mli b/infer/src/base/IssueType.mli
index 736332333..6efbb3134 100644
--- a/infer/src/base/IssueType.mli
+++ b/infer/src/base/IssueType.mli
@@ -262,8 +262,6 @@ val untrusted_file_risk : t
 
 val untrusted_intent_creation : t
 
-val untrusted_url : t
-
 val untrusted_url_risk : t
 
 val untrusted_variable_length_array : t
diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml
index bd5ae06ff..9bd8cb682 100644
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@@ -449,43 +449,24 @@ include Trace.Make (struct
     | _ when List.mem sanitizers Sanitizer.All ~equal:Sanitizer.equal ->
         (* the All sanitizer clears any form of taint; don't report *)
         None
-    | UserControlledEndpoint (_, typ), CreateFile ->
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
-          IssueType.untrusted_file
-    | Endpoint (_, typ), CreateFile ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), CreateFile ->
         Option.some_if
           (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
           IssueType.untrusted_file_risk
-    | UserControlledEndpoint (_, typ), URL ->
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
-          IssueType.untrusted_url
-    | Endpoint (_, typ), URL ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), URL ->
         Option.some_if
           (is_injection_possible ~typ Sanitizer.EscapeURL sanitizers)
           IssueType.untrusted_url_risk
     | (CommandLineFlag _ | EnvironmentVariable | ReadFile), URL ->
         None
-    | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), SQL ->
-        if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
-          Some IssueType.sql_injection
-        else
-          (* no injection risk, but still user-controlled *)
-          Some IssueType.user_controlled_sql_risk
-    | Endpoint (_, typ), SQL ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), SQL ->
         if is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers then
           (* SQL injection if the caller of the endpoint doesn't sanitize on its end *)
           Some IssueType.sql_injection_risk
         else
           (* no injection risk, but still user-controlled *)
           Some IssueType.user_controlled_sql_risk
-    | (UserControlledEndpoint (_, typ) | CommandLineFlag (_, typ)), ShellExec ->
-        (* we know the user controls the endpoint, so it's code injection without a sanitizer *)
-        Option.some_if
-          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
-          IssueType.shell_injection
-    | Endpoint (_, typ), ShellExec ->
+    | (Endpoint (_, typ) | UserControlledEndpoint (_, typ)), ShellExec ->
         (* code injection if the caller of the endpoint doesn't sanitize on its end *)
         Option.some_if
           (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
@@ -500,15 +481,25 @@ include Trace.Make (struct
         (* untrusted flag, environment var, or file data flowing to buffer *)
         Some IssueType.quandary_taint_error
     | (EnvironmentVariable | ReadFile | Other), ShellExec ->
-        (* untrusted flag, environment var, or file data flowing to shell *)
+        (* environment var, or file data flowing to shell *)
         Option.some_if
           (is_injection_possible Sanitizer.EscapeShell sanitizers)
           IssueType.shell_injection
+    | CommandLineFlag (_, typ), ShellExec ->
+        (* untrusted flag, flowing to shell *)
+        Option.some_if
+          (is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
+          IssueType.shell_injection
     | (EnvironmentVariable | ReadFile | Other), SQL ->
         (* untrusted flag, environment var, or file data flowing to SQL *)
         Option.some_if
           (is_injection_possible Sanitizer.EscapeSQL sanitizers)
           IssueType.sql_injection
+    | CommandLineFlag (_, typ), SQL ->
+        (* untrusted flag, flowing to shell *)
+        Option.some_if
+          (is_injection_possible ~typ Sanitizer.EscapeSQL sanitizers)
+          IssueType.sql_injection
     | Other, URL ->
         (* untrusted flag, environment var, or file data flowing to URL *)
         Option.some_if
diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
index ca28a69ac..5fbf3669e 100644
--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@@ -57,8 +57,8 @@ codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_sql_sanitized_bad, 2, USER_CONTROLLED_SQL_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_sql_sanitized_bad,Call to __infer_sql_sink with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_service1_endpoint_struct_string_field_bad, 1, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_service1_endpoint_struct_string_field_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_unsanitized_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_unsanitized_sql_bad,Call to __infer_sql_sink with tainted index 0]
-codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0]
-codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0]
+codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_shell_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_shell_bad,Call to system with tainted index 0]
+codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service1_user_controlled_endpoint_to_sql_bad, 2, SQL_INJECTION_RISK, ERROR, [Return from endpoints::Service1_user_controlled_endpoint_to_sql_bad,Call to __infer_sql_sink with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service2_service2_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service2_service2_endpoint_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/endpoints.cpp, endpoints::Service3_service3_endpoint_bad, 2, SHELL_INJECTION_RISK, ERROR, [Return from endpoints::Service3_service3_endpoint_bad,Call to system with tainted index 0]
 codetoanalyze/cpp/quandary/execs.cpp, execs::callExecBad, 6, SHELL_INJECTION, ERROR, [Return from getenv,Call to execl with tainted index 1]