3 matches found
PYSEC-2026-560 utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
Summary The substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix or powershell.exe -Command Windows, allowing an attacker to...
GHSA-5V57-8RXJ-3P2R python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection
Summary prepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability CWE-78 in substituteutcpargs tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single...
Command Injection
Overview utcp-cli is an UTCP communication protocol plugin for wrapping local command-line tools. Affected versions of this package are vulnerable to Command Injection via the substituteutcpargs function. An attacker can execute arbitrary shell commands by supplying crafted input to the toolargs...