CVE-2026-30309
Received Received - Intake
Command Injection via Bypassable Blacklist in InfCode Terminal Module

Publication date: 2026-03-31

Last updated on: 2026-04-14

Assigner: MITRE

Description
InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native high-risk commands in Windows PowerShell (such as powershell), and the matching algorithm lacks dynamic semantic parsing unable to recognize string concatenation, variable assignment, or double-quote interpolation in Shell syntax. Malicious commands can bypass interception through simple syntax obfuscation. An attacker can construct a file containing malicious instructions for remote code injection. When a user imports and views such a file in the IDE, the Agent executes dangerous PowerShell commands outside the blacklist without user confirmation, resulting in arbitrary command execution or sensitive data leakage.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30309
EUVD
EUVD-2026-17421
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tokfinity infcode to 1.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in InfCode's terminal auto-execution module allows arbitrary command execution and potential leakage of sensitive data without user confirmation. This exposure of sensitive data and unauthorized code execution can lead to violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over data confidentiality and system security.

Because attackers can bypass the blacklist and execute high-risk PowerShell commands remotely, organizations using affected versions of InfCode may fail to maintain the integrity and confidentiality of personal or protected health information, thereby risking non-compliance with these common standards.

Executive Summary

CVE-2026-30309 is a critical vulnerability in Tokfinity's InfCode software, specifically in its terminal auto-execution module. The vulnerability stems from an ineffective blacklist security mechanism that fails to block high-risk Windows PowerShell commands such as "powershell."

The blacklist uses a matching algorithm that lacks dynamic semantic parsing, so it cannot detect obfuscated commands that use techniques like string concatenation, variable assignment, or double-quote interpolation in shell syntax. Attackers can exploit this by crafting malicious commands that bypass the blacklist.

An attacker can embed these malicious commands in a file. When a user imports and views this file in the InfCode IDE, the Agent executes the dangerous PowerShell commands without user confirmation, leading to arbitrary command execution or sensitive data leakage.

Impact Analysis

This vulnerability can have severe impacts because it allows remote attackers to execute arbitrary PowerShell commands on the victim's system without user confirmation.

Such arbitrary command execution can lead to remote code execution, which may compromise the entire system, allow installation of malware, unauthorized access, or manipulation of sensitive data.

Additionally, the vulnerability can cause leakage of sensitive information, putting user data and system integrity at risk.

Detection Guidance

This vulnerability involves the execution of obfuscated PowerShell commands bypassing the blacklist in InfCode's terminal auto-execution module. Detection would focus on monitoring for unusual or obfuscated PowerShell command executions triggered by the InfCode Agent.

Suggested detection methods include monitoring PowerShell command execution logs for suspicious patterns such as string concatenation, variable assignments, or double-quote interpolations that could indicate obfuscation.

  • Use Windows Event Logs to monitor PowerShell script block logging: Enable and review logs under 'Microsoft-Windows-PowerShell/Operational'.
  • Run commands like `Get-EventLog -LogName 'Microsoft-Windows-PowerShell/Operational'` or use `Get-WinEvent` to filter for suspicious PowerShell activity.
  • Use network monitoring tools to detect unusual outbound connections or data exfiltration attempts originating from the InfCode IDE or Agent processes.

Since the vulnerability exploits the auto-execution of commands when importing files into the IDE, monitoring file import activities and correlating them with PowerShell execution events can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps should focus on preventing the execution of malicious PowerShell commands through the vulnerable InfCode terminal auto-execution module.

  • Avoid importing or opening untrusted or suspicious files in the InfCode IDE until a patch or update is available.
  • Disable or restrict the auto-execution feature in the InfCode terminal module if possible.
  • Implement strict PowerShell execution policies on affected systems to limit script execution, such as setting the execution policy to 'AllSigned' or 'Restricted'.
  • Monitor and restrict network access for the InfCode Agent to reduce the risk of remote exploitation.

Contact Tokfinity or check for official patches or updates addressing this vulnerability and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart