CVE-2026-33718

🗓️ 27 Mar 2026 00:12:24Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 8 Views🌐 WEB

OpenHands has a command injection flaw in get_git_diff via an unsanitized git diff path; fixed in 1.5.0.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2026-33718	27 Mar 202600:12	–	attackerkb
Circl	CVE-2026-33718	27 Mar 202603:17	–	circl
CNNVD	OpenHands 操作系统命令注入漏洞	27 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-33718 OpenHands is Vulnerable to Command Injection through its Git Diff Handler	27 Mar 202600:12	–	cvelist
Github Security Blog	OpenHands is Vulnerable to Command Injection through its Git Diff Handler	25 Mar 202621:54	–	github
NVD	CVE-2026-33718	27 Mar 202601:16	–	nvd
OSV	CVE-2026-33718 OpenHands is Vulnerable to Command Injection through its Git Diff Handler	27 Mar 202600:12	–	osv
OSV	GHSA-7H8W-HJ9J-8RJW OpenHands is Vulnerable to Command Injection through its Git Diff Handler	25 Mar 202621:54	–	osv
OSV	PYSEC-2026-106	27 Mar 202601:16	–	osv
Positive Technologies	PT-2026-28181	25 Mar 202600:00	–	ptsecurity

NVD

Vulners

Node

openhands openhandsRange<1.5.0python

[
  {
    "vendor": "OpenHands",
    "product": "OpenHands",
    "versions": [
      {
        "version": "< 1.5.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/OpenHands/OpenHands/security/advisories/GHSA-7h8w-hj9j-8rjw
docs	www.docs.python.org/3/library/shlex.html
owasp	www.owasp.org/www-community/attacks/Command_Injection
docs	www.docs.python.org/3/library/subprocess.html
github	www.github.com/OpenHands/OpenHands/pull/13051

Parameter	Position	Path	Description	CWE
path	path	/api/conversations/{conversation_id}/git/diff	Command injection via unsanitized path parameter in git diff endpoint leading to arbitrary command execution in the agent sandbox.	CWE-78

10 Apr 2026 15:23Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.17.6 - 9.9

EPSS0.00216

SSVC

CWE-78