Skip to main content

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

162 CVEs Avg CVSS 7.8 MITRE
34
CRITICAL
90
HIGH
36
MEDIUM
2
LOW
37
POC
1
KEV

Monthly

CVE-2026-40501 HIGH POC PATCH This Week

Remote code execution in Cherry Studio 1.2.2 through 1.9.12 lets attackers who control search-provider content run arbitrary Node.js code because the SearchService loads that content into an Electron BrowserWindow with nodeIntegration enabled and contextIsolation disabled. An attacker controlling a search engine provider, search result page, or provider settings page can execute JavaScript with full Node.js privileges under the OS account running the app. Publicly available exploit code exists (VulnCheck/Mundi-Xu gist) and a vendor patch (commit 1518530) is available; the flaw is not currently listed in CISA KEV.

Node.js RCE Cherry Studio
NVD GitHub
CVSS 4.0
8.6
CVE-2026-24226 MEDIUM This Month

NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.

Nvidia RCE Information Disclosure Tensorrt Llm
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-57102 HIGH PATCH This Week

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2026-15519 LOW POC Monitor

Inclusion of functionality from an untrusted control sphere in usestrix strix (up to v1.0.2) allows remote attackers to manipulate the system_prompt.jinja template within the PyPI Handler component, achieving limited confidentiality, integrity, and availability impact. The CVSS 4.0 score of 2.3 reflects high attack complexity and required passive user interaction, placing real-world exploitation difficulty considerably higher than the network-facing attack vector alone implies. A public proof-of-concept is available on GitHub; no patch has been issued and the vendor has not responded to disclosure.

Information Disclosure Strix
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-59831 MEDIUM This Month

Command execution via URI injection in GitHub CLI's `gh codespace jupyter` subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted `vscode://` or `vscode-insiders://` URI. No public exploit has been identified at time of analysis and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the scope-change characteristic (S:C) means local VS Code extension execution is a realistic downstream impact.

Information Disclosure Cli
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-49986 PyPI HIGH POC PATCH GHSA This Week

Local arbitrary code execution in the Cortex MCP server (neuro-cortex-memory ≥ 3.17.0) lets an attacker run Python with the victim's user privileges when the open_visualization tool trusts the Claude Code-supplied CLAUDE_PROJECT_DIR as a Cortex developer checkout. Any project a victim opens is treated as a candidate source root, and validation only checks for two trivial marker files (mcp_server/ and ui/unified-viz.html) before executing an attacker-supplied visualize_bootstrap.py via subprocess. A working PoC is included in the advisory; there is no evidence of active exploitation, and the issue is fixed in v3.17.1.

Python RCE
NVD GitHub
CVE-2026-13751 CRITICAL PATCH Act Now

Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI session into fetching attacker-chosen remote URLs and then retrieving and executing remote SQL in that session's context. The flaw lives in the SQL statement reader's !source/!load directives, which resolve remote references at runtime without restricting the request destination, so a victim who processes attacker-supplied SQL can be made to reach internal/non-public network locations. Despite a 9.6 CVSS, real-world urgency is tempered by required user interaction and a low EPSS (0.09%); there is no public exploit identified at time of analysis and it is not in CISA KEV.

SSRF Snowflake Cli
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-56447 CRITICAL PATCH Act Now

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.

RCE Misp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-44691 npm HIGH PATCH GHSA This Week

Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands with the user's privileges when its workspace is opened, because custom task definitions in .theia/tasks.json or .vscode/tasks.json bypass the workspace trust gate. When the victim has also enabled AI chat with tool confirmation disabled via a workspace .theia/settings.json, the chain triggers automatically on the first chat message. No public exploit identified at time of analysis, but the attack pattern mirrors well-known VS Code workspace-trust bypass classes.

RCE Eclipse Theia
NVD VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-46580 npm HIGH PATCH GHSA This Week

Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Code Injection Eclipse Theia
NVD VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVSS 8.6
HIGH POC PATCH This Week

Remote code execution in Cherry Studio 1.2.2 through 1.9.12 lets attackers who control search-provider content run arbitrary Node.js code because the SearchService loads that content into an Electron BrowserWindow with nodeIntegration enabled and contextIsolation disabled. An attacker controlling a search engine provider, search result page, or provider settings page can execute JavaScript with full Node.js privileges under the OS account running the app. Publicly available exploit code exists (VulnCheck/Mundi-Xu gist) and a vendor patch (commit 1518530) is available; the flaw is not currently listed in CISA KEV.

Node.js RCE Cherry Studio
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.

Nvidia RCE Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 1.3
LOW POC Monitor

Inclusion of functionality from an untrusted control sphere in usestrix strix (up to v1.0.2) allows remote attackers to manipulate the system_prompt.jinja template within the PyPI Handler component, achieving limited confidentiality, integrity, and availability impact. The CVSS 4.0 score of 2.3 reflects high attack complexity and required passive user interaction, placing real-world exploitation difficulty considerably higher than the network-facing attack vector alone implies. A public proof-of-concept is available on GitHub; no patch has been issued and the vendor has not responded to disclosure.

Information Disclosure Strix
NVD VulDB GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Command execution via URI injection in GitHub CLI's `gh codespace jupyter` subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted `vscode://` or `vscode-insiders://` URI. No public exploit has been identified at time of analysis and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog, but the scope-change characteristic (S:C) means local VS Code extension execution is a realistic downstream impact.

Information Disclosure Cli
NVD GitHub VulDB
HIGH POC PATCH This Week

Local arbitrary code execution in the Cortex MCP server (neuro-cortex-memory ≥ 3.17.0) lets an attacker run Python with the victim's user privileges when the open_visualization tool trusts the Claude Code-supplied CLAUDE_PROJECT_DIR as a Cortex developer checkout. Any project a victim opens is treated as a candidate source root, and validation only checks for two trivial marker files (mcp_server/ and ui/unified-viz.html) before executing an attacker-supplied visualize_bootstrap.py via subprocess. A working PoC is included in the advisory; there is no evidence of active exploitation, and the issue is fixed in v3.17.1.

Python RCE
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI session into fetching attacker-chosen remote URLs and then retrieving and executing remote SQL in that session's context. The flaw lives in the SQL statement reader's !source/!load directives, which resolve remote references at runtime without restricting the request destination, so a victim who processes attacker-supplied SQL can be made to reach internal/non-public network locations. Despite a 9.6 CVSS, real-world urgency is tempered by required user interaction and a low EPSS (0.09%); there is no public exploit identified at time of analysis and it is not in CISA KEV.

SSRF Snowflake Cli
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.

RCE Misp
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands with the user's privileges when its workspace is opened, because custom task definitions in .theia/tasks.json or .vscode/tasks.json bypass the workspace trust gate. When the victim has also enabled AI chat with tool confirmation disabled via a workspace .theia/settings.json, the chain triggers automatically on the first chat message. No public exploit identified at time of analysis, but the attack pattern mirrors well-known VS Code workspace-trust bypass classes.

RCE Eclipse Theia
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Code Injection Eclipse Theia
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy