Skip to main content

CVE-2026-30306

| EUVDEUVD-2026-17203 CRITICAL
Code Injection (CWE-94)
2026-03-30 mitre GHSA-3m9f-mrx3-g4mq
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 20:30 euvd
EUVD-2026-17203
Analysis Generated
Mar 30, 2026 - 20:30 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

AnalysisAI

SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.

Technical ContextAI

SakaDev is a Visual Studio Code extension that integrates language model-based command execution automation. The extension implements a two-tier execution model: (1) automatic execution of commands the model deems 'safe', and (2) user-approval-gated execution for potentially destructive commands. The vulnerability stems from the reliance on prompt-injection-susceptible language model classification without secondary validation layers. This represents a class of AI/ML system vulnerabilities where adversarial prompts can subvert intended behavioral guardrails. The root cause lies in inadequate input sanitization and over-reliance on model judgment for security-critical decisions, rather than explicit command whitelisting or static analysis. No formal CWE mapping was provided, but the mechanism aligns with CWE-94 (Improper Control of Generation of Code), CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), and CWE-20 (Improper Input Validation).

RemediationAI

Immediate remediation requires SakaDev maintainers to implement input sanitization and command classification hardening: replace model-based safety judgment with explicit command whitelisting (curated list of genuinely non-destructive commands such as echo, cd, pwd), implement static syntax analysis to reject commands containing shell operators (pipes, redirects, semicolons, backticks, variable expansion), and require user approval for any command execution regardless of model classification until a formal security review is completed. Users should immediately disable the 'Execute safe commands' option and instead use the manual approval flow for all terminal commands, or uninstall the extension if command automation is not critical. The proof-of-concept and vulnerability details are documented at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4 and should be reviewed by the maintainers to understand the specific injection patterns being exploited. Vendor-released patch status is not confirmed in the provided data; users should monitor the Visual Studio Code Marketplace for extension updates and the GitHub repository for security advisories.

Share

CVE-2026-30306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy