Description
Syntx's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution syntax (specifically $(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Syntx auto‑approval module relies on fragile regular expressions to whitelist command structures, but it does not filter standard shell substitution syntax such as $(…) or backticks. An attacker can craft a command like git log --grep="$(malicious_command)" that the module mistakenly treats as a safe Git operation and automatically approves it. The underlying shell then executes the injected code, giving the attacker arbitrary execution privileges on the host. This flaw is a classic command injection vulnerability, classified as CWE‑94, and leads to complete compromise of confidentiality, integrity and availability of the affected system.

Affected Systems

The vulnerability is present in the Syntx application from OrangeCat, as identified by the corresponding CPE. All releases that include the auto‑approval command module are potentially affected; specific version information is not provided, so any Syntx deployment should be considered at risk until verified otherwise.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered catastrophic, enabling attackers to gain system‑level control. The EPSS score of less than 1% suggests that widespread exploitation is currently low, but the high severity and lack of a KEV listing do not mitigate the potential for targeted attacks. Exploitation likely occurs by submitting maliciously crafted commands to the auto‑approval interface, causing the shell to execute the payload without user interaction. The impact would be uncontrolled remote code execution.

Generated by OpenCVE AI on April 8, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Syntx patch that corrects the auto‑approval regex and disallows shell substitution syntax.
  • If a patch is unavailable, disable the auto‑approval feature or restrict it to a tightly defined whitelist of safe commands.
  • Sanitize and validate all command inputs to ensure that shell substitution characters are prohibited.
  • Configure the Syntx process to run with the minimum necessary privileges, limiting the scope of any potential exploitation.
  • Monitor and audit command execution logs for anomalous patterns and set up alerts for suspicious activity.

Generated by OpenCVE AI on April 8, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Auto‑Approval in Syntx

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Orangecat
Orangecat syntx
CPEs cpe:2.3:a:orangecat:syntx:*:*:*:*:*:*:*:*
Vendors & Products Orangecat
Orangecat syntx

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Auto‑Approval in Syntx
First Time appeared Syntx
Syntx command Auto Approval Module
Vendors & Products Syntx
Syntx command Auto Approval Module

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Weak Shell Parsing in Syntx Command Auto-Approval
Weaknesses CWE-78

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Weak Shell Parsing in Syntx Command Auto-Approval
Weaknesses CWE-78

Mon, 30 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Syntx's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution syntax (specifically $(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.
References

Subscriptions

Orangecat Syntx
Syntx Command Auto Approval Module
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T17:54:58.551Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30305

cve-icon Vulnrichment

Updated: 2026-04-01T17:54:51.314Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T20:16:21.087

Modified: 2026-04-08T16:01:38.553

Link: CVE-2026-30305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:50Z

Weaknesses