Katana Network’s Development Starter Kit contains a command injection flaw in its executeCommand method due to missing validation of user‑supplied strings before they are passed to a system call. This weakness allows an attacker to insert arbitrary command syntax, causing the service to run the injected commands with the privileges of the service account. The result is full compromise of the affected installation. The vulnerability is straightforward to exploit because authentication is not required.

The affected product is the Katana Network Development Starter Kit. No specific version details are provided in the advisory, so all installations of the developer kit are presumed vulnerable until a patched release is obtained or a workaround is applied.

The CVSS score of 9.8 indicates critical severity. The EPSS score of 1% reflects a moderate probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote over the network; attackers need no credentials to trigger the flaw, making it highly vulnerable for both internal and external threat actors. Successful exploitation would grant unrestricted access to the service environment, enabling lateral movement or further compromise of the host system.