CVE-2026-45152
Received Received - Intake
Command Injection in Uniget Prior to 0.27.1

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-45152
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uniget uniget to 0.27.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in uniget, a universal installer and updater for container tools, is a command injection flaw present before version 0.27.1. It occurs because uniget unsafely executes the 'check' field from metadata files using /bin/bash -c without validating or sanitizing this input. Since the 'check' field is loaded directly from untrusted JSON metadata, an attacker can craft malicious metadata that causes arbitrary shell commands to be executed on the victim's system when uniget operations like describe, install, update, or inspect are run.

This means an attacker can execute arbitrary code with the same privileges as the user running uniget.


How can this vulnerability impact me? :

This vulnerability can lead to arbitrary code execution on your system with the privileges of the user running uniget. An attacker exploiting this flaw could run malicious commands, potentially leading to unauthorized access, data theft, system compromise, or disruption of services.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade uniget to version 0.27.1 or later, where the issue is fixed.

Avoid using untrusted or suspicious metadata files with uniget until the upgrade is applied.

Limit the privileges of the user running uniget to reduce potential impact of arbitrary code execution.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart