CVE-2026-29042
HIGH EPSS 81.6%
Published Mar 6, 20264mo ago · Modified Mar 10, 20263mo ago
8.9 CVSS 4.0
Published Mar 6, 2026 4mo ago
Last Modified Mar 10, 2026 3mo ago
Description
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
81.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-75
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| iguazio | nuclio | * | <1.15.20 |
References 4
- github.com https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
- github.com https://github.com/nuclio/nuclio/pull/4030
- github.com https://github.com/nuclio/nuclio/releases/tag/1.15.20
- github.com https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27
Remediation
- github.com https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
- github.com https://github.com/nuclio/nuclio/pull/4030