| tiêu đề | Yued Fe Lulu UI 3 OS Command Injection |
|---|
| Mô tả | A Remote Code Execution vulnerability (CWE-78) exists in the LuLu UI build and documentation synchronization script. The script invokes OS-level commands using child_process.exec() with dynamically constructed command strings. Because exec() spawns a shell and does not enforce argument separation, attackers who can influence the execution environment, Git repository state, or filesystem paths can inject and execute arbitrary OS commands.
The vulnerability is particularly dangerous in shared development environments, CI/CD runners, or systems where the repository or filesystem may be modified by untrusted users or automated processes. |
|---|
| Nguồn | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/lulu.md |
|---|
| Người dùng | lakshay12311 (UID 91298) |
|---|
| Đệ trình | 31/01/2026 12:04 (cách đây 3 các tháng) |
|---|
| Kiểm duyệt | 15/02/2026 16:54 (15 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 346153 [yued-fe LuLu UI đến 3.0.0 run.js child_process.exec nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|