Description
A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.
Published: 2026-04-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw exists in the /devserver/start endpoint of the leonvanzyl autocoder. An attacker who can send a request to this endpoint can supply a specially crafted command parameter that the server will execute directly, leading to arbitrary code execution. This vulnerability corresponds to CWE‑77 and enables an attacker to run whatever system commands they choose, potentially compromising the entire host.

Affected Systems

The flaw affects installations running the leonvanzyl autocoder at commit 79d02a. No other versions or vendor products are listed, so the impact is confined to systems using that exact codebase.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and although the EPSS score is not available, the lack of a KEV listing does not diminish the immediate risk. The attack can be performed remotely by sending an HTTP request with a malicious command parameter to the vulnerable endpoint, assuming the service is reachable from the network. Because the flaw allows execution of arbitrary commands, the attack surface is large and an exploit would likely succeed if the endpoint is publicly exposed.

Generated by OpenCVE AI on April 28, 2026 at 04:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer commit of the autocoder that removes the vulnerable command handling logic
  • If an upgrade is not feasible, restrict network access to the /devserver/start endpoint to trusted hosts only
  • Implement server‑side input validation to reject or escape untrusted command parameters, mitigating the command‑injection risk

Generated by OpenCVE AI on April 28, 2026 at 04:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Leonvanzyl
Leonvanzyl autocoder
Vendors & Products Leonvanzyl
Leonvanzyl autocoder

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.
References

Subscriptions

Leonvanzyl Autocoder
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T15:58:19.288Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30352

cve-icon Vulnrichment

Updated: 2026-04-27T15:56:16.939Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:43.597

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-30352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:33Z

Weaknesses