CVE-2026-29042

UNKNOWN 0.0

Nuclio Shell Runtime Command Injection Leading to Privilege Escalation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

CWE	CWE-75
Vendor	nuclio
Product	nuclio
Published	Mar 6, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for nuclio nuclio

Be the first to know when new unknown vulnerabilities affecting nuclio nuclio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nuclio / nuclio

< 1.15.20

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27 github.com: https://github.com/nuclio/nuclio/pull/4030 github.com: https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a github.com: https://github.com/nuclio/nuclio/releases/tag/1.15.20