CVE-2026-43991
JunoClaw: plugin-shell shell-injection bypass via substring blocklist
CVSS Score
8.4
EPSS Score
0.0%
EPSS Percentile
0th
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constructions, allowing unauthorized command execution on the host when combined with the companion advisory. Pre-patch, the check was applied to the raw command string rather than the parsed first token. This vulnerability is fixed in 0.x.y-security-1.
| CWE | CWE-78 CWE-184 |
| Vendor | dragonmonk111 |
| Product | junoclaw |
| Published | May 12, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for dragonmonk111 junoclaw
Be the first to know when new high vulnerabilities affecting dragonmonk111 junoclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Dragonmonk111 / junoclaw
< v0.x.y-security-1