{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openshell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-41355"}],"_cs_exploited":false,"_cs_products":["OpenShell"],"_cs_severities":["high"],"_cs_tags":["cve","rce","openshell"],"_cs_type":"advisory","_cs_vendors":["OpenShell"],"content_html":"\u003cp\u003eOpenShell, a popular start menu replacement for Windows, is vulnerable to arbitrary code execution. Specifically, versions prior to 2026.3.28 are susceptible to CVE-2026-41355, which allows attackers with \u0026ldquo;mirror mode\u0026rdquo; access to execute arbitrary code. This vulnerability stems from the insecure conversion of untrusted sandbox files into workspace hooks. An attacker can leverage this flaw to inject malicious code that executes during the OpenShell gateway startup process, gaining control over the host system. This poses a significant risk to systems where OpenShell is used, especially in environments where multiple users or sandboxed applications are present. Successful exploitation allows for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to a system with OpenShell installed and \u0026ldquo;mirror mode\u0026rdquo; enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious sandbox file containing embedded code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages OpenShell\u0026rsquo;s mirror mode to convert the untrusted sandbox file into a workspace hook.\u003c/li\u003e\n\u003cli\u003eOpenShell improperly handles the conversion, failing to sanitize the malicious code within the workspace hook.\u003c/li\u003e\n\u003cli\u003eThe system restarts or the OpenShell gateway service is initialized.\u003c/li\u003e\n\u003cli\u003eDuring the gateway startup, OpenShell executes the injected malicious code from the compromised workspace hook.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the OpenShell process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges or performs other malicious actions, such as installing malware or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41355 allows an attacker to execute arbitrary code on a vulnerable system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability is particularly dangerous in multi-user environments or systems using sandboxed applications, as it allows attackers to break out of the sandbox and gain control over the host. While the exact number of affected systems is unknown, any system running OpenShell prior to version 2026.3.28 with mirror mode enabled is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenShell to version 2026.3.28 or later to patch CVE-2026-41355.\u003c/li\u003e\n\u003cli\u003eDisable \u0026ldquo;mirror mode\u0026rdquo; in OpenShell if it is not required, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetectSuspiciousOpenShellMirrorMode\u003c/code\u003e to detect potential exploitation attempts by monitoring process creations related to OpenShell with specific command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to activate the \u003ccode\u003eDetectSuspiciousOpenShellMirrorMode\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openshell-rce/","summary":"OpenShell before 2026.3.28 is vulnerable to arbitrary code execution via mirror mode when converting untrusted sandbox files into workspace hooks, allowing attackers with mirror mode access to execute code during gateway startup.","title":"OpenShell Arbitrary Code Execution Vulnerability (CVE-2026-41355)","url":"https://feed.craftedsignal.io/briefs/2026-04-openshell-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenShell","version":"https://jsonfeed.org/version/1.1"}