CVE-2026-6130
OS Command Injection in ChatboxAI StdioClientTransport (Remote Exploit
Publication date: 2026-04-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chatboxai | chatbox | to 1.20.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the chatboxai chatbox software up to version 1.20.0, specifically in the StdioClientTransport function within the Model Context Protocol Server Management System component. It allows an attacker to manipulate the arguments passed to the function (args/env), which can lead to operating system command injection. This means an attacker can remotely execute arbitrary OS commands on the affected system.
How can this vulnerability impact me? :
The vulnerability can have serious impacts as it allows remote attackers to execute arbitrary operating system commands on the affected system without any authentication or user interaction. This can lead to unauthorized access, data compromise, system control, and potentially further exploitation of the environment where the vulnerable software is deployed.