{"vulnerability": "GHSA-V3F4-W7R7-V3HM", "sightings": [{"uuid": "4cb5f7dc-ed24-4db7-a091-a317e7f9c0bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-V3F4-W7R7-V3HM", "type": "seen", "source": "https://gist.github.com/alon710/c55617deed0f6aa3ac7d480b01fa4253", "content": "# GHSA-V3F4-W7R7-V3HM: GHSA-v3f4-w7r7-v3hm: Remote Command Execution via Origin Validation Error in Uni-CLI Legacy HTTP Transport\n\n&gt; **CVSS Score:** 8.6\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-V3F4-W7R7-V3HM\n\n## Summary\nAn origin validation error and cross-site request forgery vulnerability in @zenalexa/unicli prior to version 0.225.2 allows cross-origin web applications to execute arbitrary tools on a user's local machine via the legacy stateless HTTP transport.\n\n## TL;DR\nA vulnerability in @zenalexa/unicli allows malicious websites to execute arbitrary local system commands on a developer's machine by sending unauthenticated cross-origin requests to the local daemon.\n\n## Technical Details\n\n- **CWE ID**: CWE-346, CWE-352\n- **Attack Vector**: Network / Cross-Origin HTTP Request\n- **CVSS v4.0 Score**: 8.6 (High)\n- **EPSS Score**: N/A\n- **Exploit Status**: None / Proof of Concept Not Weaponized\n- **Impact**: Arbitrary Tool / Command Execution on Host\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- @zenalexa/unicli\n- **@zenalexa/unicli**: &lt; 0.225.2 (Fixed in: `0.225.2`)\n\n## Mitigation\n\n- Upgrade @zenalexa/unicli to version 0.225.2 or higher.\n- Disable the legacy stateless HTTP transport mechanism.\n- Utilize the default stdio transport or migrate to the secured Streamable HTTP transport.\n- Configure local firewall rules to monitor and restrict access to loopback ports.\n\n**Remediation Steps:**\n1. Run `npm update @zenalexa/unicli` in the project directory to install the patched version.\n2. Verify the installed version is 0.225.2 or later by checking package.json or running `unicli --version`.\n3. Update application configurations to replace any instances of the legacy HTTP transport with stdio or Streamable HTTP.\n4. Restart the Uni-CLI daemon to apply the secure configuration.\n\n## References\n\n- [GitHub Advisory Database Entry](https://github.com/advisories/GHSA-v3f4-w7r7-v3hm)\n- [Upstream Security Advisory](https://github.com/olo-dot-io/Uni-CLI/security/advisories/GHSA-v3f4-w7r7-v3hm)\n- [Upstream Repository](https://github.com/olo-dot-io/Uni-CLI)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V3F4-W7R7-V3HM) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-22T05:11:16.000000Z"}]}