Description
InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native high-risk commands in Windows PowerShell (such as powershell), and the matching algorithm lacks dynamic semantic parsing unable to recognize string concatenation, variable assignment, or double-quote interpolation in Shell syntax. Malicious commands can bypass interception through simple syntax obfuscation. An attacker can construct a file containing malicious instructions for remote code injection. When a user imports and views such a file in the IDE, the Agent executes dangerous PowerShell commands outside the blacklist without user confirmation, resulting in arbitrary command execution or sensitive data leakage.
Published: 2026-03-31
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary PowerShell command execution
Action: Assess Impact
AI Analysis

Impact

A flaw in InfCode’s terminal auto‑execution module disables its blacklist filtering, allowing malicious PowerShell commands to run without user consent. The filtration logic fails to block high‑risk commands such as "powershell" and cannot detect obfuscation techniques like string concatenation, variable assignment, or double‑quote interpolation. Attackers can embed these commands in a file that, when opened in the IDE, causes the Agent to execute them, leading to arbitrary code execution or sensitive data leakage.

Affected Systems

Tokfinity InfCode software – any release containing the terminal auto‑execution feature is vulnerable. No specific version numbers are listed, but the issue affects all builds that include this module.

Risk and Exploitability

The CVSS score of 7.8 categorizes the vulnerability as high severity, yet the <1% EPSS score suggests that exploitation is presently unlikely. It is not listed in the CISA KEV catalog, so no widespread exploitation has been documented. The attack is inferred to be a local or supply‑chain vector: an attacker must supply a crafted file that a user imports into the IDE; no remote network entry is described.

Generated by OpenCVE AI on April 14, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your InfCode installation includes the vulnerable terminal module and update to the latest release once a vendor fix is available.
  • If possible, disable the terminal auto‑execution feature or enforce a stricter command whitelist to block PowerShell execution.
  • Avoid importing files from untrusted sources and monitor file‑open activity for suspicious commands.
  • Contact Tokfinity support for specific advisories or mitigations and keep an eye on security announcements.

Generated by OpenCVE AI on April 14, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Title InfCode Terminal Auto‑Execution Vulnerability Allowing Arbitrary PowerShell Command Execution

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tokfinity:infcode:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tokfinity
Tokfinity infcode
Vendors & Products Tokfinity
Tokfinity infcode

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title InfCode Terminal Auto‑Execution Vulnerability Allowing Arbitrary PowerShell Command Execution

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native high-risk commands in Windows PowerShell (such as powershell), and the matching algorithm lacks dynamic semantic parsing unable to recognize string concatenation, variable assignment, or double-quote interpolation in Shell syntax. Malicious commands can bypass interception through simple syntax obfuscation. An attacker can construct a file containing malicious instructions for remote code injection. When a user imports and views such a file in the IDE, the Agent executes dangerous PowerShell commands outside the blacklist without user confirmation, resulting in arbitrary command execution or sensitive data leakage.
References

Subscriptions

Tokfinity Infcode
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-31T15:15:28.893Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30309

cve-icon Vulnrichment

Updated: 2026-03-31T15:11:13.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:12.863

Modified: 2026-04-14T15:49:43.420

Link: CVE-2026-30309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses