Skip to main content

context-sync CVE-2026-7062

MEDIUM
OS Command Injection (CWE-78)
2026-04-26 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 26, 2026 - 23:22 NVD
HIGH MEDIUM
CVSS changed
Apr 26, 2026 - 23:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 26, 2026 - 22:45 vuln.today
Analysis Generated
Apr 26, 2026 - 22:30 vuln.today
CVE Published
Apr 26, 2026 - 22:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in Intina47 context-sync up to 2.0.0. This affects an unknown part of the file src/git-integration.ts of the component Git Integration. Such manipulation leads to os command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

OS command injection in Intina47 context-sync through version 2.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via the Git integration module (src/git-integration.ts). CVSS 7.3 with network attack vector and no authentication required indicates significant exposure. Publicly available exploit code exists (wing3e/public_exp repository), though no CISA KEV listing suggests exploitation remains limited to proof-of-concept demonstrations rather than widespread campaigns. EPSS data unavailable, but the combination of network exposure, authentication bypass, and public exploit warrants immediate remediation priority for organizations using this synchronization tool.

Technical ContextAI

The vulnerability stems from CWE-78 (OS Command Injection) in the git-integration.ts file of context-sync, a tool for synchronizing development contexts. Command injection flaws occur when applications construct shell commands using unsanitized user input, allowing attackers to inject shell metacharacters (semicolons, pipes, backticks) that execute arbitrary commands. In this case, the Git integration component likely accepts repository URLs, branch names, or commit references from network requests without proper validation or escaping before passing them to system shell invocations. The affected product context-sync (CPE: cpe:2.3:a:intina47:context-sync) versions through 2.0.0 indicates all releases up to and including 2.0.0 contain this flaw. Git-related command injection typically involves parameters like clone URLs, remote names, or paths being incorporated into git commands executed via Node.js child_process methods without shell escaping.

RemediationAI

Upgrade to context-sync version 2.0.1 or later if available, checking the GitHub repository (https://github.com/Intina47/context-sync/) for patched releases addressing issue #31. At time of analysis, the CVSS vector RL:X (remediation level unknown) indicates patch status not confirmed through official channels. If no patched version exists, implement immediate compensating controls: disable the Git integration feature entirely if not operationally required; restrict network access to the context-sync service using firewall rules or network segmentation allowing only trusted developer IP ranges; deploy context-sync behind authentication proxy requiring token-based access; containerize the application with read-only filesystem and minimal privileges to limit command injection impact; implement input validation middleware to reject Git parameters containing shell metacharacters (semicolons, pipes, backticks, dollar signs, redirects) before reaching git-integration.ts. Monitor GitHub issue #31 (https://github.com/Intina47/context-sync/issues/31) and vendor repository for official security updates. Trade-offs: disabling Git integration breaks synchronization functionality; input filtering may reject legitimate edge cases in branch names; containerization adds deployment complexity.

Share

CVE-2026-7062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy