CVE-2026-29042

HIGH EPSS 81.6%
Published Mar 6, 20264mo ago · Modified Mar 10, 20263mo ago
8.9 CVSS 4.0
High
Find Similar
Published Mar 6, 2026 4mo ago
Last Modified Mar 10, 2026 3mo ago

Description

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

CVSS Details

Base Score
8.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
81.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-75

Affected Products 1

VendorProductVersionRange
iguazionuclio* <1.15.20

References 4

  • github.com https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
    Patch
  • github.com https://github.com/nuclio/nuclio/pull/4030
    Issue TrackingPatch
  • github.com https://github.com/nuclio/nuclio/releases/tag/1.15.20
    ProductRelease Notes
  • github.com https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
    Patch
  • github.com https://github.com/nuclio/nuclio/pull/4030
    Issue TrackingPatch