Skip to main content

EUVDEUVD-2026-17205

| CVE-2026-30313 CRITICAL
Code Injection (CWE-94)
2026-03-30 mitre GHSA-rfcm-98h7-2567
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 21:00 euvd
EUVD-2026-17205
Analysis Generated
Mar 30, 2026 - 21:00 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.

AnalysisAI

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Technical ContextAI

DSAI-Cline implements a command filtering mechanism that attempts to prevent OS command injection by detecting dangerous shell operators (semicolons, logical operators &&/||, pipes, and command substitution patterns). However, the validation logic uses string-based parsing that fails to account for raw newline characters (\n) as command separators. In PowerShell and many Unix shells, newline characters function as command terminators and separators, equivalent to semicolons. An attacker can craft a payload such as 'git log\nmalicious_command' where the newline is treated as a valid separator by the shell interpreter while remaining undetected by the whitelist parser. This allows the first (whitelisted) command to execute normally, followed immediately by arbitrary malicious code. The root cause is insufficient input validation that does not normalize or filter all shell metacharacters and separators before approval logic is applied.

RemediationAI

Immediate action required: apply a patch that implements comprehensive input validation by normalizing and filtering all shell metacharacters including newline (\n, \r), carriage return, and other whitespace control characters before command approval logic is executed. The whitelist should be refactored to use parameterized command construction or shell-aware parsing libraries rather than string-based pattern matching. Contact DSAI-Cline maintainers via the GitHub repositories referenced (necboy/cline-DSAI and Secsys-FDU/LLM-Tool-Calling-CVEs) for patch availability and timeline. Until a patch is released, disable auto-approval functionality entirely and require explicit user confirmation for all command execution, or restrict DSAI-Cline to a sandboxed environment with limited OS command privileges.

Share

EUVD-2026-17205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy