Vulnerability Description
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6
- https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1
- https://github.com/Dragonmonk111/junoclaw/security/advisories/GHSA-gpvm-3chf-264
FAQ
What is CVE-2026-43990?
CVE-2026-43990 is a vulnerability with a CVSS score of 8.4 (HIGH). JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument ...
How severe is CVE-2026-43990?
CVE-2026-43990 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43990?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.