What is GHSA-r7p8-h82j-w6x6?

GHSA-r7p8-h82j-w6x6 is a security advisory published by GitHub Security Advisories with High severity. @pensar/apex \u003c= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The...

Which CVE IDs does GHSA-r7p8-h82j-w6x6 cover?

GHSA-r7p8-h82j-w6x6 covers the following CVE IDs: CVE-2026-36044. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-r7p8-h82j-w6x6?

GHSA-r7p8-h82j-w6x6 has a CVSS v3 base score of 8.8, published by GitHub Security Advisories.

GHSA-r7p8-h82j-w6x6HighCVSS 8.8

@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-36044 →

📋 Description

@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-36044
https://gist.github.com/NucleiAv/47e87da08b90ef464fd9b35affe578fb
https://www.npmjs.com/package/@pensar/apex
https://github.com/advisories/GHSA-r7p8-h82j-w6x6