Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.
AnalysisAI
Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.
Technical ContextAI
Root cause is CWE-78 command injection in _run_command() function where placeholder values from foreach loop iterators and system file parsing undergo string substitution then pass unsanitized to eval(). Shell metacharacter filtering absent before command construction. Attack surface includes any UAC artifact collection workflow processing external file content or user-controlled iteration variables that populate %line%, %user%, %user_home% templates.
RemediationAI
Upgrade to UAC 3.3.0-rc1 or later incorporating upstream fixes that sanitize placeholder substitution inputs before eval() execution. Three security commits address the injection vector: cb95d7166cd47908e1189d9669e43f9a6d3d707f, 50ace60e172e38feb78347bdf579311c23eff078, and d0fca5e36d8d6a33a4404f0f6fe92b0424544589 available via GitHub PR 443. Until patching, restrict UAC execution to trusted artifact collection configurations excluding external file parsing or user-controlled foreach inputs. Validate and whitelist all placeholder sources. Vendor advisory and technical analysis: https://www.vulncheck.com/advisories/uac-rc1-command-injection-via-placeholder-substitution and https://github.com/tclahr/uac/issues/429
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20775
GHSA-vv2j-m83f-q33j