cvedb.io
CVE-2026-30302
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2026-03-27T16:16:23.210 · Last modified 2026-06-17T10:32:36.890

Summary

The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD

Affected products

coderider-kilo — coderider

Does this affect you?

Add your gear to cvedb and we'll alert you only when coderider-kilo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.