{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cli/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cli"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","linux"],"_cs_type":"advisory","_cs_vendors":["uniget-org"],"content_html":"\u003cp\u003eUniget is vulnerable to a command injection vulnerability (CVE-2026-45152) stemming from the unsafe execution of the \u003ccode\u003echeck\u003c/code\u003e field within metadata files. This occurs because the \u003ccode\u003echeck\u003c/code\u003e field, used for version checks, is executed via \u003ccode\u003e/bin/bash -c\u003c/code\u003e without proper sanitization or validation. An attacker can inject arbitrary shell commands by crafting malicious metadata. Common uniget operations such as \u003ccode\u003edescribe\u003c/code\u003e, \u003ccode\u003einstall\u003c/code\u003e, \u003ccode\u003eupdate\u003c/code\u003e, or \u003ccode\u003einspect\u003c/code\u003e will trigger the vulnerability. This vulnerability affects uniget versions prior to 0.27.1, and successful exploitation leads to arbitrary code execution with the privileges of the user running uniget.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON metadata file containing a payload within the \u003ccode\u003echeck\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious metadata file in the uniget metadata cache directory (\u003ccode\u003e~/.local/var/cache/uniget/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe user executes a uniget command such as \u003ccode\u003edescribe\u003c/code\u003e, \u003ccode\u003einstall\u003c/code\u003e, \u003ccode\u003eupdate\u003c/code\u003e, or \u003ccode\u003einspect\u003c/code\u003e targeting a tool defined in the malicious metadata.\u003c/li\u003e\n\u003cli\u003eUniget loads the metadata for the specified tool using \u003ccode\u003ejson.Unmarshal()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etool.Check\u003c/code\u003e field is populated with the attacker-controlled command from the JSON metadata.\u003c/li\u003e\n\u003cli\u003eUniget executes the command defined in the \u003ccode\u003etool.Check\u003c/code\u003e field using \u003ccode\u003e/bin/bash -c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell interprets any shell metacharacters present in the command, resulting in command injection.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected commands are executed with the privileges of the user running uniget, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis command injection vulnerability allows an attacker to execute arbitrary code on a vulnerable system. This can lead to the exfiltration of sensitive data, installation of malware, or modification of system configurations. Compromised systems could be leveraged for further attacks within a network. This issue primarily affects users who import or process attacker-controlled metadata, potentially including CI/CD environments using uniget automation. Successful exploitation grants the attacker the same privileges as the user running uniget, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to uniget version 0.27.1 or later to patch CVE-2026-45152.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid using uniget with untrusted metadata sources.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003e/bin/bash -c\u003c/code\u003e executing commands sourced from uniget metadata locations, as detected by the Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:36:49Z","date_published":"2026-05-13T15:36:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-uniget-command-injection/","summary":"Uniget is vulnerable to command injection because the `check` field is loaded directly from untrusted JSON metadata without validation, allowing an attacker to execute arbitrary shell commands on the victim's system when performing common uniget operations.","title":"Uniget Command Injection Vulnerability via Malicious Metadata","url":"https://feed.craftedsignal.io/briefs/2026-05-uniget-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cli","version":"https://jsonfeed.org/version/1.1"}