Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-qqq4-5773-pmw5 | uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution |
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Uniget-org
Uniget-org cli |
|
| Vendors & Products |
Uniget-org
Uniget-org cli |
Thu, 28 May 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1. | |
| Title | uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution | |
| Weaknesses | CWE-78 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-28T12:40:02.534Z
Reserved: 2026-05-08T20:44:38.964Z
Link: CVE-2026-45152
Updated: 2026-05-28T12:39:52.638Z
Status : Deferred
Published: 2026-05-27T22:16:36.963
Modified: 2026-06-17T10:51:42.657
Link: CVE-2026-45152
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:49:49Z
Github GHSA