{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30302", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T20:22:59.670Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T15:35:37.622Z"}, "descriptions": [{"lang": "en", "value": "The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^\" & malicious_command ^\". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/3"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:20:50.771732Z", "id": "CVE-2026-30302", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:22:59.670Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^\" & malicious_command ^\". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check."}], "id": "CVE-2026-30302", "lastModified": "2026-03-27T16:16:23.210", "metrics": {}, "published": "2026-03-27T16:16:23.210", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T17:26:25.187797+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch or update for CodeRider\u2011Kilo.", "If no patch is available, disable the auto\u2011approval feature or restrict it to whitelisted safe commands.", "Ensure the command parser used on Windows handles CMD escape sequences correctly or replace it with a Windows\u2011compatible solution.", "Monitor for any execution of unexpected commands in the application logs."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of CodeRider\u2011Kilo running on Windows are vulnerable; no specific version information is provided.", "description_and_impact": "The flaw is an OS Command Injection in the auto\u2011approval module of CodeRider\u2011Kilo on Windows. A Unix\u2011based shell\u2011quote parser was invoked on a Windows platform, mishandling CMD escape sequences and allowing a crafted command such as git log ^\" & malicious_command ^\" to be auto\u2011approved. The parser treats the ampersand as part of a string, but the Windows shell executes it, giving the attacker arbitrary command execution with the privileges of the process.", "risk_and_exploitability": "The vulnerability presents a high severity due to potential remote code execution. No EPSS or KEV data is available, but the ease of injection and bypass of whitelist control suggests a high likelihood of exploitation. The attack vector is inferred to be within the context of executing Git commands on the victim system where the auto\u2011approval module runs."}}}}, "created": "2026-03-27T20:28:55.669423+00:00", "title": "OS Command Injection in CodeRider\u2011Kilo Auto\u2011Approval Module Allows Remote Code Execution on Windows", "updated": "2026-03-27T20:28:55.669449+00:00", "vendors": [], "weaknesses": ["CWE-78"]}