CVE-2026-28800

Published: Mar 6, 2026Modified: Mar 10, 2026

8.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.1 / Impact: 5.9

Source: NVD

Description

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with the permission to send message in said channel access to do anything on their computer. This includes keyboard and mouse inputs and full file access. This issue has been patched in version 1.1.0.

Affected (1)

Products: Natroteam: Natro Macro

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Natroteam Natro Macro	Before 1.1.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-ph9r-2qjm-ghvg

Source: security-advisories@github.com

MitigationVendor Advisory

Timeline

No history available yet.