Skip to main content

CVE-2026-30305

| EUVDEUVD-2026-17186 CRITICAL
Code Injection (CWE-94)
2026-03-30 mitre GHSA-p2qg-jv6h-hrr8
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 19:45 euvd
EUVD-2026-17186
Analysis Generated
Mar 30, 2026 - 19:45 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Syntx's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution syntax (specifically $(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.

AnalysisAI

Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

Technical ContextAI

Syntx implements a command auto-approval security module that uses regular expressions to whitelist safe command operations before execution. The vulnerability stems from incomplete shell metacharacter detection in the parsing logic. The system fails to recognize and block command substitution syntax-both the modern $(...) syntax and legacy backtick (…) syntax-which are evaluated by the shell before the whitelisted command itself executes. This is a classic OS command injection (CWE-78) flaw where user-controlled input is passed to a shell without proper sanitization. The root cause is the reliance on pattern matching rather than proper command tokenization or shell escaping; an attacker can nest malicious commands within quoted arguments that pass regex validation but are later expanded by the shell interpreter.

RemediationAI

Immediate remediation requires replacing the fragile regular expression-based command whitelist parser with a proper shell-safe command tokenization and validation mechanism. Vendors should implement one of the following: (1) use a shell-agnostic command parsing library that safely tokenizes arguments without relying on shell interpretation; (2) properly escape all user-supplied arguments using shell-safe escaping functions (e.g., shlex.quote in Python) before passing to the shell; or (3) disable automatic command approval for any command containing special shell characters ($(, `, |, &, ;, etc.) and require explicit user review. Syntx should release a patched version addressing these parsing gaps. Organizations currently using Syntx's auto-approval feature should disable automatic approval pending a patch, or implement additional input validation to reject commands containing shell metacharacters. Consult https://syntx.dev/ and the referenced GitHub issue for vendor advisory and patch availability.

Share

CVE-2026-30305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy