CVE-2026-31246: GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (
criticalvulnerability
security
Summary
GPT-Pilot has a command injection vulnerability (CWE-78, a type of security flaw where attackers insert malicious commands into a program) in its Executor.run() method that allows attackers to execute arbitrary shell commands. When the system asks users to confirm or modify a command before running it, it doesn't properly validate the user input before passing it to the shell execution function, letting an attacker replace the intended command with malicious code and run it with GPT-Pilot's privileges.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 11, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31246
First tracked: May 11, 2026 at 02:10 PM
Classified by LLM (prompt v3) · confidence: 95%