CVE-2026-45152

Source
https://cve.org/CVERecord?id=CVE-2026-45152
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45152.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45152
Aliases
Published
2026-05-27T21:05:00.990Z
Modified
2026-07-08T08:13:30.024924228Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution
Details

uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45152.json"
}
References

Affected packages

Git / github.com/uniget-org/cli

Affected ranges

Type
GIT
Repo
https://github.com/uniget-org/cli
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.27.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
uniget-org/cli
v0.*
v0.1.0
v0.1.1
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.11.0-beta.10
v0.11.0-beta.11
v0.11.0-beta.12
v0.11.0-beta.2
v0.11.0-beta.3
v0.11.0-beta.4
v0.11.0-beta.5
v0.11.0-beta.6
v0.11.0-beta.7
v0.11.0-beta.8
v0.11.0-beta.9
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.12.0
v0.12.1
v0.12.10
v0.12.11
v0.12.12
v0.12.13
v0.12.14
v0.12.15
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.14.5-rc1
v0.14.5-rc2
v0.15.0
v0.15.0-rc.1
v0.15.0-rc.2
v0.16.2
v0.16.3
v0.17.0
v0.17.1
v0.17.10
v0.17.11
v0.17.12
v0.17.13
v0.17.14
v0.17.15
v0.17.16
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.17.6
v0.17.7
v0.17.8
v0.17.9
v0.18.0
v0.18.0-rc.1
v0.18.0-rc.2
v0.18.0-rc.3
v0.18.0-rc.4
v0.18.0-rc.5
v0.18.0-rc.6
v0.18.0-rc.7
v0.18.1
v0.18.10
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.8
v0.18.9
v0.19.0
v0.19.1
v0.19.10
v0.19.11
v0.19.2
v0.19.3
v0.19.4
v0.19.5
v0.19.6
v0.19.7
v0.19.8
v0.19.9
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.22.0
v0.22.1
v0.22.2
v0.22.3
v0.22.4
v0.22.5
v0.23.0
v0.23.1
v0.23.10
v0.23.11
v0.23.12
v0.23.13
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.23.6
v0.23.7
v0.23.8
v0.23.9
v0.24.0
v0.24.0-rc.1
v0.24.0-rc.2
v0.24.0-rc.3
v0.24.0-rc.4
v0.24.0-rc.5
v0.24.0-rc.6
v0.24.1
v0.24.10
v0.24.11
v0.24.12
v0.24.13
v0.24.14
v0.24.15
v0.24.16
v0.24.17
v0.24.18
v0.24.19
v0.24.2
v0.24.20
v0.24.21
v0.24.22
v0.24.23
v0.24.24
v0.24.25
v0.24.26
v0.24.27
v0.24.3
v0.24.4
v0.24.5
v0.24.5-rc.0
v0.24.5-rc.1
v0.24.6
v0.24.7
v0.24.8
v0.24.9
v0.25.0
v0.25.0-rc.1
v0.25.0-rc.2
v0.25.0-rc.3
v0.25.1
v0.25.2
v0.25.3
v0.26.0
v0.26.1
v0.26.2
v0.26.3
v0.26.4
v0.27.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45152.json"