@pensar/apex CVE-2026-36044
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process.
AnalysisAI
OS command injection in the @pensar/apex Node.js agent package (versions 0.0.58 and earlier) lets a remote, unauthenticated attacker run arbitrary operating-system commands by smuggling shell metacharacters into the smart_enumerate tool's url or extensions inputs. The vulnerable createSmartEnumerateTool() routine in src/core/agent/tools.ts builds a shell command string by concatenating those untrusted values and passes it to Node.js child_process.exec(), which spawns a shell that interprets the injected characters, executing them with the privileges of the agent process. CVSS is 8.8 (network vector, low complexity, no privileges, but user/agent interaction required); the source data shows no CISA KEV listing and no EPSS score, and a referenced researcher gist may contain proof-of-concept detail though exploit code is not confirmed in the structured input.
Technical ContextAI
The flaw is a classic OS command injection (CWE-78, inferred since the CVE lists CWE as N/A) rooted in unsafe use of Node.js's child_process.exec(). Unlike execFile() or spawn() with an argument array, exec() runs its input through /bin/sh (or cmd.exe on Windows), so any shell metacharacter - ;, |, &&, $(), backticks - in the command string is interpreted rather than treated as literal data. Here, the smart_enumerate tool concatenates caller-supplied values from the extensions array and the url parameter directly into that command string with no escaping, quoting, or allow-list validation, making the shell parse attacker content as commands. @pensar/apex appears to be an AI/agent-style enumeration tool distributed via npm; no CPE strings were provided in the intelligence, so exact platform identifiers cannot be derived beyond the npm package coordinate @pensar/apex.
Affected ProductsAI
The affected product is the @pensar/apex npm package at versions 0.0.58 and earlier (<= 0.0.58), with the defect located in createSmartEnumerateTool() within src/core/agent/tools.ts. No CPE string was provided in the intelligence to pin an exact platform identifier. The package and its release history can be reviewed on npm at https://www.npmjs.com/package/@pensar/apex, and additional technical detail is referenced in a researcher gist at https://gist.github.com/NucleiAv/47e87da08b90ef464fd9b35affe578fb; no dedicated vendor security advisory URL was included in the source data.
RemediationAI
No vendor-released patch version was identified in the available data, so the primary action is to check https://www.npmjs.com/package/@pensar/apex for a release later than 0.0.58 and upgrade to it once published, since 0.0.58 and all earlier versions are vulnerable; do not assume a specific fixed version, as none is confirmed in the input. Until a fixed release is confirmed, do not pass untrusted or externally sourced values into the smart_enumerate tool's url or extensions parameters, and avoid running the agent against attacker-controllable input. The durable code-level fix (for maintainers) is to replace child_process.exec() with child_process.execFile() or spawn() using an argument array so values are never parsed by a shell; as a compensating control for operators, run the agent under a least-privilege account inside a sandbox or container with restricted filesystem and outbound network egress, accepting the trade-off that egress restrictions may break legitimate enumeration functionality that relies on outbound requests. Technical context for these steps is documented in the referenced gist at https://gist.github.com/NucleiAv/47e87da08b90ef464fd9b35affe578fb.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today