top of page
perceptive_background_267k.jpg

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appea…

Published:

23 maart 2026 om 23:00:00

Alert date:

24 maart 2026 om 15:05:59

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies

The Intake data package prior to version 2.0.9 contains a command injection vulnerability where shell() syntax within parameter default values is automatically expanded during catalog parsing. Malicious catalog YAML files can execute embedded commands on the host system when accessed. The vulnerability occurs when users load untrusted catalogs containing shell(<command>) parameter defaults. Version 2.0.9 fixes the issue by setting getshell to False by default. This represents a significant security risk for data analysis environments using the Intake package.

Technical details

Mitigation steps:

Affected products:

Intake

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33310
https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b
https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page