Soumettre #813768: FoundDream miniclawd 0 Command Injectioninformation

TitreFoundDream miniclawd 0 Command Injection
DescriptionA critical command injection vulnerability exists in the which() method of SkillsLoader. The method directly concatenates unsanitized input from skill metadata requires.bins into a shell command executed via execSync(). The bins value is loaded from untrusted external SKILL.md files with no validation, sanitization, or escaping. An attacker who can create or modify a skill file can execute arbitrary system commands with the process's privileges. More details: https://github.com/FoundDream/miniclawd/issues/2
La source⚠️ https://github.com/FoundDream/miniclawd/issues/2
Utilisateur
 ybdesire (UID 83239)
Soumission27/04/2026 04:33 (il y a 1 mois)
Modérer24/05/2026 09:54 (27 days later)
StatutAccepté
Entrée VulDB365434 [FoundDream miniclawd SkillsLoader skills-loader.ts which requires.bins élévation de privilèges]
Points20

PrécédentAperçuSuivant

Might our Artificial Intelligence support you?

Check our Alexa App!