CVE-2026-9452 - Vulnerability Details

Description

A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-25

Score: 6.9 Medium

EPSS: 1.0% Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug is an OS command injection flaw in the ExecTool.execute function of the FoundDream miniclawd project. The function accepts external input and forwards it directly to the operating system shell. Because the injected string is not validated or escaped, a malicious user can craft input that causes the shell to run arbitrary commands. The weakness is classified as CWE‑77 and CWE‑78. The impact is that anyone who can make the application invoke ExecTool.execute with attacker‑controlled input may be able to run unauthorized commands on the host.

Affected Systems

All instances of FoundDream miniclawd that contain or are older than the reference commit 2d65665046e2222eeea76cafc8570ed546a8c125 are affected. The project does not use semantic versioning, so it is unclear which released builds after this commit may still be vulnerable, but any code base still containing the referenced commit carries the risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score of about 1% indicates a low but non‑zero likelihood that the vulnerability is actually exploited. The flaw is not listed in the CISA KEV catalog. The binary function can be invoked remotely via exposed interfaces that call ExecTool.execute. While the command injection allows execution of arbitrary OS commands, whether an attacker can achieve full system compromise depends on the privileges with which ExecTool.execute runs; it could potentially provide complete control over the affected system, but this outcome is conditional on successful exploitation and the system’s privilege configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FoundDream

miniclawd

affected

Version	Status	Constraints
`2d65665046e2222eeea76cafc8570ed546a8c125`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for an updated release or a security advisory from FoundDream that addresses the command injection and apply it immediately on all affected instances.
If no official fix is available, apply network segmentation or firewall rules to limit remote access to the component that invokes ExecTool.execute, thereby reducing the attack surface.
Remove or disable the use of ExecTool.execute wherever possible and replace it with a safer alternative that sanitizes inputs or uses stricter command execution APIs.
Audit the application code for any remaining unvalidated parameters that reach ExecTool.execute and enforce strict input validation or escaping to prevent injection.

Generated by OpenCVE AI on May 25, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01039.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FoundDream/miniclawd/
https://github.com/FoundDream/miniclawd/issues/1
https://vuldb.com/submit/813767
https://vuldb.com/vuln/365433
https://vuldb.com/vuln/365433/cti

History

Mon, 25 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title		FoundDream miniclawd exec.ts ExecTool.execute os command injection
First Time appeared		Founddream Founddream miniclawd
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:a:founddream:miniclawd::::::::
Vendors & Products		Founddream Founddream miniclawd
References		https://github.com/FoundDream/miniclawd/ https://github.com/FoundDream/miniclawd/issues/1 https://vuldb.com/submit/813767 https://vuldb.com/vuln/365433 https://vuldb.com/vuln/365433/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Founddream Miniclawd

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T11:00:17.219Z

Updated: 2026-05-25T11:00:17.219Z

Reserved: 2026-05-24T07:54:23.407Z

Link: CVE-2026-9452

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T15:15:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object