Home / Vulnerability Intelligence / CVE-2026-33310

CVE-2026-33310 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 25, 2026

Intake - Command Injection

Published: March 24, 2026Updated: March 25, 2026PoC AvailableRemote Exploitable

Overview

Intake < 2.0.9 contains a command injection caused by automatic expansion of shell() syntax in parameter default values during catalog parsing, letting attackers execute arbitrary commands by loading malicious catalog YAML, exploit requires loading malicious catalog.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 5.2%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands on the host system by loading a malicious catalog, potentially leading to full system compromise.

Mitigation

Update to version 2.0.9 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33310 - High (8.8) Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contai... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33310/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33310
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: confirmed
EPSS: 5.2%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

5.2%Probability of exploitation in the next 30 days