Tag
The `utcp-cli` package is vulnerable to command injection. The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled values directly into shell command strings without sanitization, allowing an attacker to inject arbitrary shell commands, resulting in full Remote Code Execution. The vulnerability is fixed in version 1.1.2.