Description
A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Published: 2026-05-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a flaw in the _format_plugins function of the Tailwind Config Generator component in nextlevelbuilder ui-ux-pro-max-skill. The flaw permits code injection, allowing an attacker to execute arbitrary code when the function processes malicious plugin parameters. The vulnerability is a consequence of CWE-74 and CWE-94 weaknesses in parameter handling and code generation.

Affected Systems

All installations of nextlevelbuilder ui-ux-pro-max-skill version 2.5.0 or earlier are affected. The problematic code resides in .claude/skills/ui-styling/scripts/tailwind_config_gen.py, part of the Tailwind Config Generator module.

Risk and Exploitability

The reported CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the issue is not listed in CISA KEV catalog. An exploit has been published and is known to be remotely exploitable, meaning that a remote attacker who can influence the input to _format_plugins may trigger the injection.

Generated by OpenCVE AI on May 2, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nextlevelbuilder ui-ux-pro-max-skill to the latest version that removes the _format_plugins injection flaw.
  • If an upgrade is not currently possible, consider disabling or uninstalling the Tailwind Config Generator component to eliminate the vulnerable code path.
  • Implement input validation or sanitization on any user-supplied plugin data before it is fed into _format_plugins to prevent malicious code injection.

Generated by OpenCVE AI on May 2, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title nextlevelbuilder ui-ux-pro-max-skill Tailwind Config Generator tailwind_config_gen.py _format_plugins code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T20:45:10.767Z

Reserved: 2026-05-01T09:49:00.678Z

Link: CVE-2026-7595

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-01T21:16:18.130

Modified: 2026-05-01T21:16:18.130

Link: CVE-2026-7595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses