CVE-2026-39862

Source
https://cve.org/CVERecord?id=CVE-2026-39862
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39862.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39862
Aliases
  • GHSA-8x8g-6rv5-mgg2
Published
2026-04-08T19:50:05.156Z
Modified
2026-07-08T07:10:42.968793Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link
Details

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39862.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/shopify/tophat

Affected ranges

Type
GIT
Repo
https://github.com/shopify/tophat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:shopify:tophat:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v1.*
v1.10.0
v1.11.0
v1.11.1
v1.9.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39862.json"