Description
Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, specifically in the _info.Serial and _info.Address metadata fields. The problem occurs during device information handling. When a board is connected, the application collects identifying attributes to establish a terminal session. Because strict validation is not enforced for the Serial and Address parameters, an attacker with control over the connected hardware can supply specially crafted strings containing shell metacharacters. The exploitation requires direct physical access to a previously tampered board. When the host system processes these fields, any injected payload is executed with the privileges of the user running arduino-app-lab. This vulnerability is fixed in 0.4.0.
Published: 2026-02-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command execution
Action: Apply patch
AI Analysis

Impact

The vulnerability in Arduino App Lab arises from insufficient validation of input data received from connected hardware, specifically the _info.Serial and _info.Address metadata fields used during device information handling. Because these fields do not enforce strict sanitization, an attacker who controls the connected board can supply specially crafted strings that include shell metacharacters. When the host system processes these values, the injected payload is executed with the privileges of the user running Arduino App Lab, exposing the host operating system to command execution that effectively bypasses normal application constraints.

Affected Systems

The affected product is Arduino App Lab for all versions prior to 0.4.0. Vendors and versions are identified as arduino:arduino-app-lab with any subvariant. The vulnerability was fixed in release 0.4.0, so installations of that version or later are not impacted.

Risk and Exploitability

The CVSS Base Score of 6.9 indicates moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not included in the CISA KEV catalog. Exploitation requires direct physical access to a compromised or tampered board and then connecting it to a host running the vulnerable version of Arduino App Lab. Once the connection is established, the host processes the injected shell metacharacters, which results in elevated command execution under the current user context. Given the moderate CVSS score, low EPSS, and requirement for physical access, the overall risk to systems is moderate, but any compromised board could lead to local code execution on the host machine.

Generated by OpenCVE AI on April 17, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Arduino App Lab to version 0.4.0 or later where the command injection issue is resolved.
  • If an upgrade is not immediately possible, disable the Terminal component or prevent the application from processing metadata from untrusted hardware devices by restricting physical access to the board.
  • Apply custom input validation or patch the source code to escape or reject shell metacharacters in the _info.Serial and _info.Address fields before they are executed by the host system.

Generated by OpenCVE AI on April 17, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Arduino app Lab
CPEs cpe:2.3:a:arduino:app_lab:*:*:*:*:*:*:*:*
Vendors & Products Arduino app Lab

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Arduino
Arduino arduino-app-lab
Vendors & Products Arduino
Arduino arduino-app-lab

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, specifically in the _info.Serial and _info.Address metadata fields. The problem occurs during device information handling. When a board is connected, the application collects identifying attributes to establish a terminal session. Because strict validation is not enforced for the Serial and Address parameters, an attacker with control over the connected hardware can supply specially crafted strings containing shell metacharacters. The exploitation requires direct physical access to a previously tampered board. When the host system processes these fields, any injected payload is executed with the privileges of the user running arduino-app-lab. This vulnerability is fixed in 0.4.0.
Title Arduino App Lab has Improper Data Validation in Internal Terminal Interface
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Arduino App Lab Arduino-app-lab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T20:58:56.862Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25933

cve-icon Vulnrichment

Updated: 2026-02-12T20:58:46.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T20:16:11.067

Modified: 2026-02-19T21:30:53.170

Link: CVE-2026-25933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses