CVE-2026-28801
Code Injection in Natro Macro via Malicious Pattern Files
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| natroteam | natro_macro | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28801 is a code injection vulnerability in Natro Macro, an AutoHotkey-based macro tool used for Bee Swarm Simulator. Before version 1.1.0, any AutoHotkey (ahk) code embedded inside pattern or path files is executed by the macro when imported.
Since users commonly share these pattern/path files, an attacker can distribute a malicious file containing harmful ahk code that runs silently alongside the intended pattern. This malicious code can operate in the background without detection, allowing the attacker to perform unauthorized actions.
The vulnerability arises from improper control of code generation (CWE-94), where the program executes externally influenced code without proper neutralization.
This issue was patched in version 1.1.0 by introducing a warning prompt before importing any pattern file, enabling users to review the code.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary AutoHotkey code on your system when you import a malicious pattern or path file.
The malicious code runs silently alongside the intended pattern, potentially compromising the confidentiality and integrity of your data or system.
Because the attack requires local access and user interaction (importing the malicious file), the risk depends on whether you import untrusted files.
The vulnerability does not affect system availability but can lead to unauthorized actions and data compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when malicious AutoHotkey (ahk) code embedded within pattern or path files is executed by the Natro Macro program upon import. Detection involves identifying if any imported pattern or path files contain suspicious or unauthorized ahk code.
Since the attack requires local user interaction to import a malicious file, monitoring the import of pattern/path files and inspecting their contents for unexpected ahk code is key.
No specific commands are provided in the available resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Natro Macro to version 1.1.0 or later, where a warning prompt is introduced before importing any pattern file, allowing users to review the code.
Until the update is applied, carefully review all pattern and path files before importing them to ensure they do not contain malicious ahk code.
Only use pattern and path files from trusted sources verified by Natro staff, such as the official GitHub repository (https://github.com/NatroTeam/Paths-Patterns) and the official Discord channels (#paths and #patterns).