CVE-2026-31246

MEDIUM EPSS 48.7%
Published May 11, 20261mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
48.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

References 2

  • github.com https://github.com/Pythagora-io/gpt-pilot
  • notion.so https://www.notion.so/CVE-2026-31246-35d1e1393188812ea3c6c88ad28d3d57

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.