CVE-2026-9453
Deferred Deferred - Pending Action

Command Injection in FoundDream MiniclawD

Vulnerability report for CVE-2026-9453, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: VulDB

Description

A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
founddream miniclawd to 2d65665046e2222eeea76cafc8570ed546a8c125 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the FoundDream miniclawd software, specifically in the SkillsLoader component within the file /src/application/skills-loader.ts. It involves a command injection flaw triggered by manipulating the argument requires.bins. An attacker can exploit this vulnerability remotely to execute arbitrary commands on the affected system.

Impact Analysis

The vulnerability allows remote attackers to perform command injection, which can lead to unauthorized execution of commands on the affected system. This can compromise the confidentiality, integrity, and availability of the system and its data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart