Description
A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

helper.Update in the helper.go file of aandrew-me tgpt allows an attacker with local user privileges to inject arbitrary shell commands by manipulating the update process. The vulnerability qualifies as a command injection flaw (CWE‑74) and results in the execution of external commands under the context of the running process, compromising confidentiality and integrity of the affected system.

Affected Systems

Affected systems include the aandrew-me tgpt application version 2.11.1 or earlier running on Linux or macOS platforms. The vulnerability resides in the Update Handler component and is present wherever the vulnerable code is deployed.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is not available, so the current exploit probability cannot be quantified. The vulnerability is not listed in CISA KEV. The exploit can only be carried out by a local attacker who can execute code within the application, making local privilege escalation or compromised user accounts a prerequisite. The lack of an external exploitation vector reduces threat but local attackers can still leverage the flaw to gain further privileges, file access, or execute arbitrary commands.

Generated by OpenCVE AI on May 9, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aandrew-me tgpt to a patched or newer release that removes the vulnerability.
  • If an update is not yet available, constrain the execution environment of helper.Update by running the application with the least privileged user account and restricting shell access.
  • Implement input validation to escape or sanitize any arguments used by the update routine.
  • Monitor system logs for unexpected command execution patterns.

Generated by OpenCVE AI on May 9, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Aandrew-me
Aandrew-me tgpt
Vendors & Products Aandrew-me
Aandrew-me tgpt

Sat, 09 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title aandrew-me tgpt Update helper.go helper.Update command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aandrew-me Tgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-12T02:30:10.466Z

Reserved: 2026-05-09T06:07:36.666Z

Link: CVE-2026-8210

cve-icon Vulnrichment

Updated: 2026-05-12T02:30:06.332Z

cve-icon NVD

Status : Deferred

Published: 2026-05-09T21:16:26.967

Modified: 2026-05-13T15:32:56.063

Link: CVE-2026-8210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:24:24Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')