← Back

CVE-2026-30305

nvd nist
Published: Mar 30, 2026Modified: Jun 17, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Syntx's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution syntax (specifically $(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.

Affected (1)

Products: Orangecat: Syntx
1 product
Syntx
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Up to 2.5.0

References (2)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Broken Link

Timeline

No history available yet.