Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
AnalysisAI
Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding literal newline characters within command payloads, forcing the system to execute arbitrary OS commands without user interaction. The vulnerability exploits ineffective string-based parsing that fails to sanitize newline separators, enabling attackers to chain whitelisted commands (e.g., git log) with malicious code that PowerShell interprets as sequential commands. No CVSS score, EPSS data, or KEV confirmation available; exploitation status and real-world impact remain unconfirmed.
Technical ContextAI
DSAI-Cline implements a command auto-approval mechanism intended to safely execute whitelisted OS commands through PowerShell. The system performs string-based validation to block dangerous shell operators (semicolons, logical operators, pipes, and command substitution syntax), but this filtering is incomplete. The root cause is insufficient input sanitization that does not account for literal newline characters (\n or \r\n) as command separators. When PowerShell parses the injected payload, it treats newlines as command delimiters rather than data characters, causing the interpreter to execute both the whitelisted portion and the injected malicious command sequentially. This is a classic case of inadequate allowlist implementation (CWE category: Improper Input Validation combined with OS Command Injection) where the security boundary between safe and unsafe input is bypassed through an unanticipated encoding or formatting mechanism.
RemediationAI
Patch availability and exact fix versions are not confirmed from available data. Immediate remediation requires contacting the DSAI-Cline vendor or project maintainers for a patched release that properly sanitizes newline characters and other whitespace in command input validation. Affected organizations should implement input validation that treats any command-terminating character (including newlines, carriage returns, and other whitespace) as invalid within whitelisted command parameters, or adopt a more robust allowlist mechanism such as fixed argument parsing rather than string pattern matching. Until a patch is available, disable the command auto-approval feature entirely and require explicit user confirmation for all OS command execution. Organizations should monitor the GitHub repositories listed above and the CVE databases for vendor security advisories.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17425
GHSA-w4rv-fppc-w84h