CVE-2026-31226 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 13, 2026
TinyZero - Command Injection
Published: May 12, 2026Updated: May 13, 2026Remote Exploitable
Overview
TinyZero contains a command injection caused by unsafe construction and execution of shell commands via os.system() in HDFS file operation utilities, letting remote attackers execute arbitrary OS commands, exploit requires user-controlled input via Hydra configuration.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can execute arbitrary OS commands with the privileges of the TinyZero training process user.
Mitigation
Update to a version that properly sanitizes and escapes inputs in the _copy() function or apply input validation and escaping before shell command execution.
References
Related Resources
Details
- CVE ID
- CVE-2026-31226
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- unconfirmed
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H