Description
In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
Published: 2026-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

The flaw lies in the way the LLM tool named Sixth classifies commands as safe or unsafe before execution. The design allows the model to decide whether a command is safe, and only requires user approval for potentially destructive commands. Experienced attackers can inject prompts that trick the model into misclassifying a malicious instruction as safe. This misclassification bypasses the user approval gate and causes the tool to execute the command automatically. The vulnerability is an instance of OS Command Injection (CWE‑77) and can grant an attacker unrestricted ability to run arbitrary commands on the host system, jeopardizing confidentiality, integrity, and availability.

Affected Systems

The issue impacts installations of the tool Sixth that have the automatic command execution feature enabled. No specific vendor, product, or version details are provided, so any deployment of Sixth carrying this feature is potentially exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating a very high severity. The EPSS score is below 1%, suggesting low current exploitation probability, yet the flaw remains practical for attackers skilled in prompt injection. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted prompt that influences the model’s safety classification logic, after which arbitrary shell commands are executed with the tool’s runtime privileges.

Generated by OpenCVE AI on April 2, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable automatic command execution in Sixth and enforce manual approval for all commands
  • Apply a vendor patch or update for Sixth as soon as it becomes available
  • Restrict the model’s input space to eliminate untrusted prompts or implement a prompt sanitization layer
  • Apply the principle of least privilege to the process executing commands from Sixth
  • Monitor vendor advisories for updates or additional mitigation guidance

Generated by OpenCVE AI on April 2, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title LLM Prompt Injection Misclassifies Safe Commands Leading to Arbitrary Command Execution
First Time appeared Trysixth
Trysixth sixth
Vendors & Products Trysixth
Trysixth sixth

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Automatic Command Execution in Sixth Vulnerable to Prompt Injection
Weaknesses CWE-20

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Automatic Command Execution in Sixth Vulnerable to Prompt Injection
Weaknesses CWE-20

Tue, 31 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
References

Subscriptions

Trysixth Sixth
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T18:39:56.827Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30310

cve-icon Vulnrichment

Updated: 2026-04-01T18:39:52.985Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T14:16:11.390

Modified: 2026-04-01T19:16:30.307

Link: CVE-2026-30310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:38Z

Weaknesses