What is the CVSS score of CVE-2026-36044?

CVE-2026-36044 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of @pensar/apex are affected by CVE-2026-36044?

The @pensar/apex Node.js agent package (versions 0.0.58 and earlier) contains an unauthenticated OS command injection vulnerability in the smart_enumerate tool that allows remote attackers to execute…

@pensar/apex CVE-2026-36044

Q: How to fix or mitigate CVE-2026-36044?

Within 24 hours: Conduct a complete inventory of systems and applications using @pensar/apex version 0.0.58 or earlier, and identify which are exposed to untrusted network input. Within 7 days: Determine remediation approach-either upgrade to a patched version of @pensar/apex (if released), migrate to an alternative agent package, or restrict network access to agent endpoints through segmentation and firewall rules. Within 30 days: Complete the remediation (upgrade, migration, or isolation) across all production and development environments, validate that the vulnerable smart_enumerate tool is disabled or properly sandboxed, and document the remediation decision and timeline.

HIGH

2026-05-27 cve@mitre.org

Command Injection Node.js

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:58 vuln.today

DescriptionNVD

@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process.

AnalysisAI

OS command injection in the @pensar/apex Node.js agent package (versions 0.0.58 and earlier) lets a remote, unauthenticated attacker run arbitrary operating-system commands by smuggling shell metacharacters into the smart_enumerate tool's url or extensions inputs. The vulnerable createSmartEnumerateTool() routine in src/core/agent/tools.ts builds a shell command string by concatenating those untrusted values and passes it to Node.js child_process.exec(), which spawns a shell that interprets the injected characters, executing them with the privileges of the agent process. …

RemediationAI

Within 24 hours: Conduct a complete inventory of systems and applications using @pensar/apex version 0.0.58 or earlier, and identify which are exposed to untrusted network input. Within 7 days: Determine remediation approach-either upgrade to a patched version of @pensar/apex (if released), migrate to an alternative agent package, or restrict network access to agent endpoints through segmentation and firewall rules. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-36044 vulnerability details – vuln.today

Back

@pensar/apex CVE-2026-36044

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code