Execa Command Injection (VULN-01/02/03)

• Entity ID: ent-20260410-2c6ae492e097
• Type: issue
• Scope: shared
• Status: active
• Aliases: execa-vuln, phoenix-cves

Description

Three CWE-78 OS command injection vulnerabilities from execa with shell:true and unsanitized input. Full cloud credential exfiltration possible.

Key claims

• Shell injection sinks sit outside the agent loop
• CI/CD still exposed via apiKeyHelper on patched versions

Relations

• Phoenix Security --[caused]--> Execa Command Injection (VULN-01/02/03)
• OpenCVE Claude Code Catalogue (23 CVEs) --[contains]--> Execa Command Injection (VULN-01/02/03)
• Sigma Detection Pack (16 rules) --[informed_by]--> Execa Command Injection (VULN-01/02/03)

Sources

src-20260409-9ae8df121bc8