CVE-2026-43990 HIGH

CVE-2026-43990: JunoClaw: plugin-shell shell-metacharacter injection via shell wrapper

Vendor Dragonmonk111
Product junoclaw
Weakness CWE-77
Published May 12, 2026
Last update May 12, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated