10
CVE-2026-12537
- EPSS 0.13%
- Veröffentlicht 24.06.2026 13:37:21
- Zuletzt bearbeitet 02.07.2026 19:46:27
- Quelle f45cbf4e-4146-4068-b7e1-655ffc
- CVE-Watchlists
- Unerledigt
Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Google ≫ Gemini-cli SwPlatformnode.js Version < 0.39.1
Google ≫ Gemini-cli Version0.40.0 Updatepreview2 SwPlatformnode.js
Google ≫ Run-gemini-cli Version < 0.1.22
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.032 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| f45cbf4e-4146-4068-b7e1-655ffc2c548c | 10 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g