top of page
perceptive_background_267k.jpg

@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts co…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 15:06:57

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

The @pensar/apex package version 0.0.58 and below contains an OS command injection vulnerability in the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts improperly constructs shell commands by concatenating unsanitized user input from extensions array and url parameter. These values are passed directly to Node.js child_process.exec() function, which spawns a shell that interprets shell metacharacters. This vulnerability allows attackers to execute arbitrary OS commands with the privileges of the running process.

Technical details

Mitigation steps:

Affected products:

@pensar/apex

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-36044
https://gist.github.com/NucleiAv/47e87da08b90ef464fd9b35affe578fb
https://www.npmjs.com/package/@pensar/apex

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page