Vulnerability Description
Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Intake | Intake | < 2.0.9 |
Related Weaknesses (CWE)
References
- https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1bPatch
- https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99ExploitVendor Advisory
FAQ
What is CVE-2026-33310?
CVE-2026-33310 is a vulnerability with a CVSS score of 8.8 (HIGH). Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during t...
How severe is CVE-2026-33310?
CVE-2026-33310 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33310?
Check the references section above for vendor advisories and patch information. Affected products include: Intake Intake.