zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards

Summary zeptoclaw implements a allowlist combined with a blocklist to prevent malicious shell commands in src/security/shell.rs. However, even in the Strict mode, attackers can completely bypass all the guards from allowlist and blocklist: - to bypass the allowlist, command injection is enough,...

CVE-2026-27190 Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:childprocess implementation. This vulnerability is fixed in 2.6.8...