Description
A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

helper.Update in the helper.go file of aandrew-me tgpt allows an attacker with local user privileges to inject arbitrary shell commands by manipulating the update process. The vulnerability qualifies as a command injection flaw (CWE‑74) and results in the execution of external commands under the context of the running process, compromising confidentiality and integrity of the affected system.

Affected Systems

Affected systems include the aandrew-me tgpt application version 2.11.1 or earlier running on Linux or macOS platforms. The vulnerability resides in the Update Handler component and is present wherever the vulnerable code is deployed.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is not available, so the current exploit probability cannot be quantified. The vulnerability is not listed in CISA KEV. The exploit can only be carried out by a local attacker who can execute code within the application, making local privilege escalation or compromised user accounts a prerequisite. The lack of an external exploitation vector reduces threat but local attackers can still leverage the flaw to gain further privileges, file access, or execute arbitrary commands.

Generated by OpenCVE AI on May 9, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aandrew-me tgpt to a patched or newer release that removes the vulnerability.
  • If an update is not yet available, constrain the execution environment of helper.Update by running the application with the least privileged user account and restricting shell access.
  • Implement input validation to escape or sanitize any arguments used by the update routine.
  • Monitor system logs for unexpected command execution patterns.

Generated by OpenCVE AI on May 9, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title aandrew-me tgpt Update helper.go helper.Update command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-09T21:00:11.816Z

Reserved: 2026-05-09T06:07:36.666Z

Link: CVE-2026-8210

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T21:16:26.967

Modified: 2026-05-09T21:16:26.967

Link: CVE-2026-8210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T22:30:37Z

Weaknesses