{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30306", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T17:57:44.311Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T20:04:26.731Z"}, "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://marketplace.visualstudio.com/items?itemName=rahmanazhar.saka-dev"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:56:08.488633Z", "id": "CVE-2026-30306", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:57:44.311Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T17:56:08.488633Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:57:26.971Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://marketplace.visualstudio.com/items?itemName=rahmanazhar.saka-dev"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4"}], "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T20:04:26.731Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30306", "state": "PUBLISHED", "dateUpdated": "2026-04-01T17:57:44.311Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}, {"lang": "es", "value": "En su dise\u00f1o para la ejecuci\u00f3n autom\u00e1tica de comandos de terminal, SakaDev ofrece dos opciones: Ejecutar comandos seguros y ejecutar todos los comandos. La descripci\u00f3n de la primera opci\u00f3n establece que los comandos que el modelo determine como seguros se ejecutar\u00e1n autom\u00e1ticamente, mientras que si el modelo juzga que un comando es potencialmente destructivo, a\u00fan requiere la aprobaci\u00f3n del usuario. Sin embargo, este dise\u00f1o es altamente susceptible a ataques de inyecci\u00f3n de *prompts*. Un atacante puede emplear una plantilla gen\u00e9rica para envolver cualquier comando malicioso y enga\u00f1ar al modelo para que lo clasifique err\u00f3neamente como un comando 'seguro', eludiendo as\u00ed el requisito de aprobaci\u00f3n del usuario y resultando en la ejecuci\u00f3n arbitraria de comandos."}], "id": "CVE-2026-30306", "lastModified": "2026-04-01T18:16:28.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T21:17:08.983", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4"}, {"source": "cve@mitre.org", "url": "https://marketplace.visualstudio.com/items?itemName=rahmanazhar.saka-dev"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-02T03:26:13.107218+00:00", "value": {"mitigation_remediation": ["Uninstall or disable the SakaDev extension in Visual Studio Code", "Configure the extension to require user approval for all commands, disabling the 'execute all commands' option", "Apply any official patch or newer release once the vendor addresses the issue", "Restrict model prompts to trusted sources and validate command safety before execution", "Monitor the system for unexpected command execution events"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary command execution"}, "threat_synthesis": {"affected_systems": "Any user who has installed the SakaDev VS Code extension is potentially affected. The extension is available from the Visual Studio Code Marketplace under the name Rahman Azhar \u2013 SakaDev. Version information was not disclosed in the advisory, but the flaw appears to exist in all current releases.", "description_and_impact": "SakaDev, a Visual Studio Code extension designed to automatically execute terminal commands identified by the model, contains a dangerous flaw that enables prompt injection. An attacker can craft a prompt that tricks the language model into labeling a malicious command as safe, thereby bypassing the user approval step and allowing the extension to run arbitrary commands on the host system. This results in full code execution, compromising confidentiality, integrity, and availability of the machine that hosts the extension.", "risk_and_exploitability": "The vulnerability scores a 9.8 on CVSS, denoting a critical severity. Although the EPSS score is below 1 percent, indicating a low current exploitation probability, the potential damage is immense. The attack can be carried out via a prompt presented to the extension\u2019s language model, which the attacker controls. Because the model is responsible for determining whether a command is safe, the flaw allows the attacker to this decision and inject arbitrary commands, leading to remote code execution. The vulnerability is not yet listed in the CISA KEV catalog, but its severe impact warrants immediate attention."}}}}, "created": "2026-03-31T20:00:22.186839+00:00", "updated": "2026-04-02T07:54:59.706121+00:00", "vendors": []}