CVE-2026-33310 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 24, 2026
Intake - Command Injection
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
Intake < 2.0.9 contains a command injection caused by automatic expansion of shell() syntax in parameter default values during catalog parsing, letting attackers execute arbitrary commands by loading malicious catalog YAML, exploit requires loading malicious catalog.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can execute arbitrary commands on the host system by loading a malicious catalog, potentially leading to full system compromise.
Mitigation
Update to version 2.0.9 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-33310
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- unconfirmed
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H