CVE-2026-26068 CRITICAL

CVE-2026-26068: emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection)

Vendor Jm33-M0
Product emp3r0r
Weakness CWE-77
Published February 12, 2026
Last update February 13, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 13, 2026 Record updated