cvedb.io
CVE-2026-33310
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-03-24T14:16:30.130 · Last modified 2026-06-17T10:37:18.003

Summary

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

Affected products

intake — intake

Does this affect you?

Add your gear to cvedb and we'll alert you only when intake ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.