CVE-2026-48732 in warpinfo

Summary

by MITRE • 06/24/2026

Warp is an agentic development environment. From 0.2023.03.21.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for SSH-backed metadata collection. A remote host, repository, or directory name controlled by an attacker could cause that helper command to execute additional shell syntax on the remote host as the victim's authenticated SSH account. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

GitHub M

Reservation

05/22/2026

Disclosure

06/24/2026

Moderation

accepted

Entry

VDB-373491

CPE

ready

CWE

CWE-78 (confirmed)

CVSS

8.8 (CNA)

EPSS

0.00000

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-48732
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-48732
CVE Details	https://www.cvedetails.com/cve/CVE-2026-48732/

◂ Previous Overview Next ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!