uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution o…

A critical command injection vulnerability (CVE-2026-45152) was discovered in uniget, a universal installer and updater for container tools. The vulnerability exists in versions prior to 0.27.1 due to unsafe execution of the check field from metadata files using /bin/bash -c. Attackers can craft malicious JSON metadata that executes arbitrary shell commands when common uniget operations like describe, install, update, or inspect are performed. The vulnerability leads to arbitrary code execution with the privileges of the user running uniget. The issue stems from loading the check field directly from untrusted JSON metadata without proper validation or sanitization. This vulnerability has been fixed in version 0.27.1.