VYPR
Medium severity6.5NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-31246

CVE-2026-31246

Description

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gpt-pilotPyPI
<= 0.0.10

Affected products

2
  • Pythagora Io/Gpt Pilotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0819827ce20346ef5f25b3fe29293cb448840565

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.