CVE-2026-9453 - Vulnerability Details

Description

A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-25

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in FoundDream miniclawd allows attackers to inject operating‑system commands via an improperly validated argument in the SkillsLoader component. This flaw can lead to arbitrary command execution, compromising the confidentiality, integrity, and availability of the system where minimclawd is installed. The weakness is categorized as CWE‑74 and CWE‑77, indicating inadequate validation of external input and OS command injection.

Affected Systems

The affected product is FoundDream miniclawd, any version up to the last commit identified in the security advisory. Because the project follows a rolling release model, no specific version information is defined, and any release prior to the undisclosed fix is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 classifies the issue as Medium severity, while the EPSS score is not available (inferred from missing data), indicating limited current exploitation evidence. The flaw can be triggered remotely, and the exploitation code is public, meaning attackers could target instances without additional access. At this time, the vulnerability is not listed in the CISA KEV catalog, but its remote nature and public exploitability indicate that an attacker could obtain full command control over a susceptible system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FoundDream

miniclawd

affected

Version	Status	Constraints
`2d65665046e2222eeea76cafc8570ed546a8c125`	affected	—

No data.

Vendor Product Confidence Versions

Founddream

Miniclawd

95%

Version	Status	Scheme	Platform
`2d65665046e2222eeea76cafc8570ed546a8c125`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest minimclawd release as soon as a patch that addresses the command injection flaw becomes available.
If immediate upgrading is not feasible, modify the application to restrict the required.bins argument to a whitelist of approved binaries or otherwise sanitize the input before it is passed to the system shell.
Place the minimclawd component in a segregated network segment or container runtime to limit access that an attacker could gain through successful injection.

Generated by OpenCVE AI on May 25, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FoundDream/miniclawd/
https://github.com/FoundDream/miniclawd/issues/2
https://vuldb.com/submit/813768
https://vuldb.com/vuln/365434
https://vuldb.com/vuln/365434/cti

History

Mon, 25 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title		FoundDream miniclawd SkillsLoader skills-loader.ts which command injection
First Time appeared		Founddream Founddream miniclawd
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:founddream:miniclawd::::::::
Vendors & Products		Founddream Founddream miniclawd
References		https://github.com/FoundDream/miniclawd/ https://github.com/FoundDream/miniclawd/issues/2 https://vuldb.com/submit/813768 https://vuldb.com/vuln/365434 https://vuldb.com/vuln/365434/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Founddream Miniclawd

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T11:15:11.090Z

Updated: 2026-05-25T11:15:11.090Z

Reserved: 2026-05-24T07:54:25.747Z

Link: CVE-2026-9453

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T14:00:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object