Skip to main content

Apple EUVDEUVD-2026-20613

| CVE-2026-39862 MEDIUM
OS Command Injection (CWE-78)
2026-04-08 security-advisories@github.com
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.1
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20613
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

AnalysisAI

Remote code execution in Tophat mobile testing harness prior to 2.5.1 allows authenticated network attackers to execute arbitrary commands on a developer's macOS workstation via unsanitized URL query parameters passed directly to bash. The vulnerability affects any developer with Tophat installed, with commands executing under the user's permissions and no confirmation dialog for previously trusted build hosts. This was fixed in version 2.5.1.

Technical ContextAI

Tophat is a mobile application testing harness for macOS that processes custom URL schemes (tophat://) and localhost HTTP requests (http://localhost:29070). The vulnerability stems from insufficient input validation on the 'arguments' query parameter, which flows unsanitized through URL parsing directly into a /bin/bash -c command execution context. This represents a classic command injection vulnerability (CWE-78) where attacker-controlled input is concatenated into shell command strings without proper escaping or sanitization. The localhost listener on port 29070 creates a local attack surface accessible to any process on the macOS system, while the custom URL scheme handler allows cross-application invocation. The lack of confirmation dialogs for previously trusted build hosts eliminates a potential user-interaction barrier that might otherwise mitigate exploitation.

RemediationAI

Vendor-released patch: Tophat 2.5.1. Developers must immediately upgrade from any version prior to 2.5.1 to the patched release. The patch addresses the unsanitized URL argument parsing by implementing proper input validation and escaping before passing arguments to shell execution. No workarounds are documented or recommended as a substitute for upgrading. Verify the upgrade by checking the installed version via Tophat's version command or system package manager, and restart any dependent build processes. For additional context and technical details, consult the GitHub security advisory at https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 and the upstream fix at https://github.com/Shopify/tophat/pull/139.

Share

EUVD-2026-20613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy