CVE-2026-39862
Received Received - Intake
Remote Code Execution in Tophat via Unsanitized URL Parameters

Publication date: 2026-04-08

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39862
EUVD
EUVD-2026-20613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shopify tophat to 2.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If you are a developer using Tophat on macOS versions prior to 2.5.1, this vulnerability allows an attacker to execute arbitrary commands on your workstation.

Since the attacker commands run with your user permissions and no confirmation dialog is shown for trusted build hosts, an attacker could silently compromise your system.

This could lead to unauthorized access, data theft, or further compromise of your development environment.

Executive Summary

CVE-2026-39862 is a command injection vulnerability in the Tophat mobile applications testing harness affecting versions prior to 2.5.1.

The vulnerability occurs when a developer accesses a specially crafted URL using the tophat:// scheme or http://localhost:29070, where the "arguments" query parameter is not properly sanitized.

This unsanitized input is passed directly to a shell command executed via `/bin/bash -c`, allowing an attacker to execute arbitrary commands on the developer's macOS workstation with the same user permissions.

No confirmation dialog appears for previously trusted build hosts, increasing the risk of silent exploitation.

The vulnerability has been fixed in version 2.5.1 by sanitizing all command line arguments and validating allowed characters.

Detection Guidance

This vulnerability can be detected by inspecting any usage of tophat:// or http://localhost:29070 URLs that include the "arguments" query parameter, which is parsed unsanitized and passed to a shell command. Monitoring for suspicious or unexpected commands executed via /bin/bash -c on a developer's macOS workstation may indicate exploitation attempts.

As a practical detection step, you can manually review URLs used with Tophat to ensure they do not contain malicious arguments. Additionally, monitoring logs in development tools such as Xcode for unusual shell command executions or errors related to app launching with shell metacharacters can help identify attempts to exploit this vulnerability.

Specific commands are not provided in the resources, but general approaches include:

  • Checking shell command history for suspicious /bin/bash -c executions triggered by Tophat.
  • Using network monitoring tools to detect access to tophat:// URLs or HTTP requests to localhost:29070 with suspicious query parameters.
  • Reviewing Xcode logs for errors or warnings related to app launch arguments containing shell metacharacters.
Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to update Tophat to version 2.5.1 or later, where the vulnerability has been fixed.

As a temporary workaround before updating, users should manually inspect all Tophat URLs before clicking to ensure they do not contain malicious arguments that could lead to command injection.

The fix involves sanitizing all command line arguments and validating them against an allowlist of permitted characters to prevent shell metacharacter injection.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart