cvedb.io
CVE-2026-30303
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2026-03-27T15:16:52.513 · Last modified 2026-06-17T10:32:37.050

Summary

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interprete

Affected products

matterai — axon_code

Does this affect you?

Add your gear to cvedb and we'll alert you only when matterai ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.