Medium severity6.5NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-31246
CVE-2026-31246
Description
GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gpt-pilotPyPI | <= 0.0.10 | — |
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0819827ce20346ef5f25b3fe29293cb448840565
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.