Description
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The llm CLI tool, version 0.27.1, contains a vulnerability that allows arbitrary code execution. The tool accepts user‑supplied Python code through the --functions argument, which is passed directly to the exec() function without any sanitization or sandboxing. An attacker can create a malicious llm command line that includes arbitrary Python code in the --functions option and trick a user into running it, granting the attacker full control over the victim’s system.

Affected Systems

The affected product is the llm command‑line interface from github.com/simonw/llm, specifically any installation of version 0.27.1 or earlier that still includes the vulnerable code injection logic. No other vendors or product versions are known to be affected.

Risk and Exploitability

Because exec() evaluates code at runtime, the vulnerability provides a direct path to complete arbitrary code execution. The EPSS score is < 1%, and the issue is not listed in the CISA KEV catalog. However, the lack of sanitization and the reliance on exec() mean the exploitability is high, especially when combined with a social‑engineering prompt that convinces a user to run the crafted command. The primary attack vector is a user executing a malicious llm command, and the scope of impact spans the operating system level of the victim machine.

Generated by OpenCVE AI on May 14, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the llm tool to a version that removes the unsafe use of exec() or replaces the --functions functionality with a sandboxed implementation.
  • If an updated release is not available, disable or remove the --functions option in any scripts or automated jobs that invoke llm, ensuring that no untrusted code can be provided to the tool.
  • When running llm, execute the process inside a restricted environment (such as a container or virtual machine) and run it with the minimal privileges required for the task so that even if code injection occurs the damage is confined.
  • Implement input validation on the --functions argument, rejecting or sanitizing any code that contains potentially dangerous constructs before it reaches exec().

Generated by OpenCVE AI on May 14, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g76p-4vg5-f4qh llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
History

Thu, 14 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Python Code Injection via llm CLI --functions Argument

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Simonw
Simonw llm
Vendors & Products Simonw
Simonw llm

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Python Code Injection via llm CLI --functions Argument
Weaknesses CWE-94

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
References

Subscriptions

Simonw Llm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T19:54:26.929Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:16:51.977

Modified: 2026-05-14T20:17:03.103

Link: CVE-2026-31236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T23:00:13Z

Weaknesses