CVE-2026-31236 - Vulnerability Details

Description

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.

Published: 2026-05-12

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The llm CLI tool, version 0.27.1, contains a vulnerability that allows arbitrary code execution. The tool accepts user‑supplied Python code through the --functions argument, which is passed directly to the exec() function without any sanitization or sandboxing. An attacker can create a malicious llm command line that includes arbitrary Python code in the --functions option and trick a user into running it, granting the attacker full control over the victim’s system.

Affected Systems

The affected product is the llm command‑line interface from github.com/simonw/llm, specifically any installation of version 0.27.1 or earlier that still includes the vulnerable code injection logic. No other vendors or product versions are known to be affected.

Risk and Exploitability

Because exec() evaluates code at runtime, the vulnerability provides a direct path to complete arbitrary code execution. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. However, the lack of sanitization and the reliance on exec() mean the exploitability is high, especially when combined with a social‑engineering prompt that convinces a user to run the crafted command. The primary attack vector is a user executing a malicious llm command, and the scope of impact spans the operating system level of the victim machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the llm tool to a version that removes the unsafe use of exec() or replaces the --functions functionality with a sandboxed implementation.
If an updated release is not available, disable or remove the --functions option in any scripts or automated jobs that invoke llm, ensuring that no untrusted code can be provided to the tool.
When running llm, execute the process inside a restricted environment (such as a container or virtual machine) and run it with the minimal privileges required for the task so that even if code injection occurs the damage is confined.
Implement input validation on the --functions argument, rejecting or sanitizing any code that contains potentially dangerous constructs before it reaches exec().

Generated by OpenCVE AI on May 12, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/simonw/llm
https://www.notion.so/CVE-2026-31236-35d1e139318881a4a0f1fffcf671f7e3

History

Tue, 12 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Python Code Injection via llm CLI --functions Argument
Weaknesses		CWE-94

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
References		https://github.com/simonw/llm https://www.notion.so/CVE-2026-31236-35d1e139318881a4a0f1fffcf671f7e3

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-12T00:00:00.000Z

Updated: 2026-05-12T17:12:23.080Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31236

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:16:51.977

Modified: 2026-05-12T18:16:51.977

Link: CVE-2026-31236

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T18:30:22Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object