CVE-2026-33310 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appea…
High CVSS: 8.8

CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.
Vendor
Intake
Product
Intake
CWE
CWE-78
Yayın Tarihi
2026-03-24 14:16:30
Güncelleme
2026-03-25 20:54:34
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-78 Intake HIGH Intake 2026

Referanslar

https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99