Submit #803594: aandrew-me tgpt v2.11.1 Command Injectioninfo

Titleaandrew-me tgpt v2.11.1 Command Injection
Descriptiontgpt v2.11.1 contains a local command injection vulnerability in its update mechanism. When a user runs the -u / --update option on Linux or macOS, the application calls helper.Update() and constructs a shell command using bash -c. The value of executablePath, which is derived from os.Executable(), is concatenated directly into that command string without escaping or safe argument separation. Because the executable path is inserted into a shell-interpreted string, any shell metacharacters present in the path, such as ; or #, are processed by the shell as command syntax rather than treated as literal data. This allows arbitrary command execution in the context of the current user if the binary is executed from a crafted path and the update feature is triggered. The issue affects the local client only. It is not a remote code execution vulnerability against a server, and exploitation requires user interaction. The vulnerable code path is reachable on Linux and macOS, while the update routine is explicitly disabled on Windows in the current implementation.
Source⚠️ https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing
User
 hai271120 (UID 96497)
Submission04/13/2026 16:27 (3 months ago)
Moderation05/09/2026 08:07 (26 days later)
StatusAccepted
VulDB entry362418 [aandrew-me tgpt up to 2.11.1 on Linux/macOS Update helper.go helper.Update command injection]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!