{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26068", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.900Z", "datePublished": "2026-02-12T22:01:23.212Z", "dateUpdated": "2026-02-13T17:17:57.660Z"}, "containers": {"cna": {"title": "emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection)", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp"}, {"name": "https://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0", "tags": ["x_refsource_MISC"], "url": "https://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0"}, {"name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1"}], "affected": [{"vendor": "jm33-m0", "product": "emp3r0r", "versions": [{"version": "< 3.21.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T22:01:23.212Z"}, "descriptions": [{"lang": "en", "value": "emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1."}], "source": {"advisory": "GHSA-h5p4-4xp4-vjpp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T17:17:44.435176Z", "id": "CVE-2026-26068", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T17:17:57.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26068", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-13T17:17:44.435176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T17:17:51.518Z"}}], "cna": {"title": "emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection)", "source": {"advisory": "GHSA-h5p4-4xp4-vjpp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jm33-m0", "product": "emp3r0r", "versions": [{"status": "affected", "version": "< 3.21.1"}]}], "references": [{"url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp", "name": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0", "name": "https://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1", "name": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T22:01:23.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26068", "state": "PUBLISHED", "dateUpdated": "2026-02-13T17:17:57.660Z", "dateReserved": "2026-02-10T18:01:31.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T22:01:23.212Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jm33-m0:emp3r0r:*:*:*:*:*:*:*:*", "matchCriteriaId": "D36AFE21-D613-40DC-A48C-81A01F786437", "versionEndExcluding": "3.21.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1."}, {"lang": "es", "value": "emp3r0r es un C2 centrado en el sigilo, dise\u00f1ado por usuarios de Linux para entornos Linux. Antes de la versi\u00f3n 3.21.1, los metadatos no confiables del agente (Transport, Hostname) eran aceptados durante el registro (check-in) y posteriormente interpolados en cadenas de comandos de shell de tmux ejecutadas a trav\u00e9s de /bin/sh -c. Esto permite la inyecci\u00f3n de comandos y la ejecuci\u00f3n remota de c\u00f3digo en el host del operador. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 3.21.1."}], "id": "CVE-2026-26068", "lastModified": "2026-02-25T15:47:26.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T22:16:06.507", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.1)"}}], "product": "emp3r0r", "vendor": "jm33-m0"}], "analysis": {"en": {"generated_at": "2026-04-17T19:55:23.713082+00:00", "value": {"mitigation_remediation": ["Update emp3r0r to version 3.21.1 or later to apply the vendor patch.", "If an immediate upgrade is not possible, implement validation that rejects or sanitizes Transport and Hostname metadata before it is incorporated into tmux command strings, for example by allowing only a whitelist of trusted values.", "As a temporary containment measure, limit the operator host's ability to execute /bin/sh\u00a0-c with unsanitized input, or isolate tmux sessions from untrusted metadata by running them under a non\u2011privileged, restricted user account."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of the emp3r0r command\u2011and\u2011control client from the jm33\u2011m0 project prior to version\u00a03.21.1 are affected. Versions 3.21.1 and newer include the fix that sanitizes or removes untrusted metadata before it is used in tmux command strings. The affected product is the emp3r0r agent for Linux environments.", "description_and_impact": "emp3r0r permits an attacker who can insert untrusted agent metadata, such as Transport or Hostname, during a check\u2011in operation to inject arbitrary shell commands into tmux session startup strings. The vulnerable code concatenates the metadata into a shell command executed via /bin/sh\u00a0-c, providing a classic command injection path that ultimately yields remote code execution on the operator's Linux host. This vulnerability can compromise confidentiality, integrity, and availability of the operator's systems, and is rooted in CWE\u201177 and CWE\u201178.", "risk_and_exploitability": "The CVSS v3 score of 9.3 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests that exploitation is rare at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no documented exploitation yet. Exploitation requires an attacker to control or influence the metadata sent by an agent during check\u2011in, which is typically possible if they can compromise a compromised host or supply custom agents. If successful, the injection occurs through the operator's tmux session, allowing the attacker to execute arbitrary commands on the host. Users of older emp3r0r versions should consider this a high\u2011risk exposure, especially in environments where operators rely on tmux for session management."}}}}, "created": "2026-02-13T21:29:15.340771+00:00", "updated": "2026-04-17T20:00:09.037338+00:00", "vendors": ["jm33-m0", "jm33-m0$PRODUCT$emp3r0r"]}