CVE-2026-43990 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: May 12, 2026
JunoClaw - Command Injection
Overview
JunoClaw plugin-shell before 0.x.y-security-1 contains a command injection caused by wrapping agent-supplied commands in shell parser, letting attackers execute arbitrary shell commands, exploit requires agent-supplied input.
Severity & Score
Impact
Attackers can execute arbitrary shell commands, potentially leading to full system compromise.
Mitigation
Update to version 0.x.y-security-1 or later.
References
Social Media Activity(2 posts)
š CVE-2026-43990 - High (8.4) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell me... š https://www.thehackerwire.com/vulnerability/CVE-2026-43990/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-43990 - High (8.4) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell me... š https://www.thehackerwire.com/vulnerability/CVE-2026-43990/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-43990
- Severity
- High
- CVSS Score
- 8.4
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-77
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H