Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 18 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OS Command Injection in @pensar/apex smart_enumerate Tool |
Wed, 17 Jun 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OS Command Injection Vulnerability in @pensar/apex Smart Enumerate Tool |
Tue, 16 Jun 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OS Command Injection Vulnerability in @pensar/apex Smart Enumerate Tool |
Wed, 03 Jun 2026 11:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OS Command Injection via Unsanitized Parameters in @pensar/apex's smart_enumerate Tool |
Wed, 03 Jun 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. | @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. NOTE: this is disputed by the Supplier because the report is about intended behavior, as explained in the Security Policy of the pensarai/apex GitHub repo. |
| References |
|
Sat, 30 May 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pensar
Pensar apex |
|
| Vendors & Products |
Pensar
Pensar apex |
Fri, 29 May 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OS Command Injection via Unsanitized Parameters in @pensar/apex's smart_enumerate Tool | |
| Weaknesses | CWE-78 |
Wed, 27 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-06-03T03:41:20.766Z
Reserved: 2026-04-06T00:00:00.000Z
Link: CVE-2026-36044
Updated: 2026-05-29T15:36:34.265Z
Status : Deferred
Published: 2026-05-27T14:16:45.143
Modified: 2026-06-17T10:41:02.783
Link: CVE-2026-36044
No data.
OpenCVE Enrichment
Updated: 2026-06-18T07:45:03Z