CVE-2026-43990

HIGH 8.4

JunoClaw: plugin-shell shell-metacharacter injection via shell wrapper

CVSS Score

8.4

EPSS Score

0.0%

EPSS Percentile

0th

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be interpreted as command syntax. This vulnerability is fixed in 0.x.y-security-1.

CWE	CWE-77 CWE-78
Vendor	dragonmonk111
Product	junoclaw
Published	May 12, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for dragonmonk111 junoclaw

Be the first to know when new high vulnerabilities affecting dragonmonk111 junoclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Dragonmonk111 / junoclaw

< v0.x.y-security-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Dragonmonk111/junoclaw/security/advisories/GHSA-gpvm-3chf-2649 github.com: https://github.com/Dragonmonk111/junoclaw/commit/2bc54f6 github.com: https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1