EUVD-2026-31668
GHSA-5pqf-2j34-6h89
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
OS command injection in FoundDream miniclawd allows remote unauthenticated attackers to execute arbitrary system commands via the ExecTool.execute function in /src/tools/exec.ts. All versions up to commit 2d65665046e2222eeea76cafc8570ed546a8c125 are affected, and because the project uses no versioning scheme, the full exposure window cannot be bounded by a release number. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation - the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N confirms remote unauthenticated exploitation against the miniclawd service with no complexity barrier and no required user interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) reflects limited but confirmed impact across confidentiality, integrity, and availability (all rated Low), with no scope change to downstream systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker sends a crafted HTTP request (or equivalent network payload) to the miniclawd service containing shell metacharacters - such as semicolons, backticks, or pipe operators - embedded in input fields processed by ExecTool.execute in exec.ts. The unsanitized input is passed directly to a system shell call, causing the injected commands to execute with the privileges of the miniclawd process. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the project maintainer was notified via a GitHub issue (https://github.com/FoundDream/miniclawd/issues/1) but has not responded. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today