{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30308", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T18:00:06.982Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T20:40:44.039Z"}, "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/presidio-oss/hai-build"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:59:13.586823Z", "id": "CVE-2026-30308", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:00:06.982Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30308", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T18:00:06.982Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T20:40:44.039Z"}, "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/presidio-oss/hai-build"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T17:59:13.586823Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:59:52.782Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}, {"lang": "es", "value": "En su dise\u00f1o para la ejecuci\u00f3n autom\u00e1tica de comandos de terminal, HAI Build Code Generator ofrece dos opciones: Ejecutar comandos seguros y Ejecutar todos los comandos. La descripci\u00f3n de la primera opci\u00f3n establece que los comandos determinados por el modelo como seguros se ejecutar\u00e1n autom\u00e1ticamente, mientras que si el modelo juzga que un comando es potencialmente destructivo, a\u00fan requiere la aprobaci\u00f3n del usuario. Sin embargo, este dise\u00f1o es altamente susceptible a ataques de *prompt injection*. Un atacante puede emplear una plantilla gen\u00e9rica para envolver cualquier comando malicioso y enga\u00f1ar al modelo para que lo clasifique err\u00f3neamente como un comando 'seguro', eludiendo as\u00ed el requisito de aprobaci\u00f3n del usuario y resultando en la ejecuci\u00f3n arbitraria de comandos."}], "id": "CVE-2026-30308", "lastModified": "2026-04-01T19:16:30.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T21:17:09.107", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10"}, {"source": "cve@mitre.org", "url": "https://github.com/presidio-oss/hai-build"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-31T05:42:09.060989+00:00", "value": {"mitigation_remediation": ["Check for an updated version of HAI Build Code Generator that fixes the prompt injection flaw.", "If no patch is available, disable the automatic safe command execution feature or restrict it to a whitelist of approved commands.", "Require explicit user approval for all generated commands regardless of model assessment.", "Monitor command execution logs for unexpected or unauthorized commands.", "Consider implementing additional runtime checks such as input sanitization or command validation layers."], "summary": {"action": "Patch", "impact": "Remote Code Execution via Prompt Injection"}, "threat_synthesis": {"affected_systems": "The effect is confined to systems that host the HAI Build Code Generator, an automated terminal command executor used for code generation. No specific vendor, product name, or version information is listed, so all installations of this component are potentially affected until a patch is applied or controls are implemented.", "description_and_impact": "The vulnerability allows an attacker to craft a prompt that tricks the HAI Build Code Generator into treating a malicious command as safe. By wrapping the command in a template that the model interprets as harmless, the system bypasses the user approval step and executes the command automatically. This results in arbitrary command execution, compromising confidentiality, integrity, and availability of the executing environment.", "risk_and_exploitability": "No EPSS score or KEV status is available, leaving the specific exploitation likelihood unclear. Nonetheless, the flaw permits remote code execution with no user interaction required once the prompt injection succeeds, indicating a high severity risk. Since the exploit depends mainly on injecting malicious output into the model\u2019s prompt, it can be performed by any actor who can influence the input to the generator, making the risk readily exploitable under the conditions described."}}}}, "created": "2026-03-31T20:00:21.201156+00:00", "title": "Auto Command Execution Enables Remote Code Execution via Prompt Injection", "updated": "2026-03-31T20:00:21.201179+00:00", "vendors": [], "weaknesses": ["CWE-77"]}