Skip to main content

ui-ux-pro-max-skill EUVDEUVD-2026-26719

| CVE-2026-7595 LOW
Code Injection (CWE-94)
2026-05-01 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
May 01, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
May 01, 2026 - 21:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 01, 2026 - 21:16 vuln.today
Public exploit code
Source Code Evidence Fetched
May 01, 2026 - 21:15 vuln.today
Analysis Generated
May 01, 2026 - 21:15 vuln.today
EUVD ID Assigned
May 01, 2026 - 21:01 euvd
EUVD-2026-26719
Analysis Generated
May 01, 2026 - 21:01 vuln.today
Patch released
May 01, 2026 - 21:01 nvd
Patch available
CVE Published
May 01, 2026 - 20:45 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Code injection vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0 allows authenticated remote attackers to execute arbitrary code via unsanitized plugin names in the Tailwind Config Generator. The _format_plugins function constructs require() statements without validation, enabling attackers with login credentials to inject malicious JavaScript into the Tailwind configuration. Publicly available exploit code exists and the vendor has released a patch via pull request, though adoption status is unconfirmed.

Technical ContextAI

The vulnerability resides in the _format_plugins method of tailwind_config_gen.py, which dynamically generates JavaScript require() statements from user-supplied plugin names without input validation. Tailwind CSS plugins are loaded via require() calls in the generated config file; an attacker can inject arbitrary code by crafting malicious plugin names containing JavaScript syntax (e.g., semicolons, parentheses, or escaped quotes). The root cause is CWE-94 (Improper Control of Generation of Code) combined with insufficient allowlisting. The fix implements strict regex validation (_VALID_PLUGIN_NAME) matching only valid npm package naming conventions: optional @scope prefix, alphanumeric characters, hyphens, dots, underscores, and forward slashes for subpaths - explicitly blocking quotes, parentheses, and semicolons. Affected versions up to 2.5.0 generate unsafe config via this unvalidated pipeline.

RemediationAI

Upgrade to the patched version of ui-ux-pro-max-skill released after the merge of PR #275, which implements regex-based plugin name validation. Patch details: the fix adds _VALID_PLUGIN_NAME regex pattern enforcement in _format_plugins() to reject any plugin names containing characters outside the npm package naming specification (alphanumeric, hyphens, dots, underscores, @scope prefix, and subpaths only). Mitigating code change: reject plugin values not matching '^(@[a-zA-Z0-9_-]+/)?[a-zA-Z0-9_-]+(/[a-zA-Z0-9_.-]+)*$' and raise ValueError with message indicating invalid npm package name. For deployments on unpatched versions, restrict access to the Tailwind Config Generator interface to trusted administrators only and implement code review of all generated config files before deployment. No workarounds short of restricting feature access are recommended, as the plugin injection point is inherent to the design. Patch reference: https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275.

Share

EUVD-2026-26719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy