{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30352", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-27T15:58:19.288Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T15:03:48.709Z"}, "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/leonvanzyl/autocoder"}, {"url": "http://autocoder.com"}, {"url": "http://leonvanzyl.com"}, {"url": "https://gist.github.com/syphonetic/e3bdee6c022b36d5ecb98fbf61284931"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T15:56:42.910681Z", "id": "CVE-2026-30352", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T15:58:19.288Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T15:56:42.910681Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T15:56:16.939Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/leonvanzyl/autocoder"}, {"url": "http://autocoder.com"}, {"url": "http://leonvanzyl.com"}, {"url": "https://gist.github.com/syphonetic/e3bdee6c022b36d5ecb98fbf61284931"}], "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T15:03:48.709Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30352", "state": "PUBLISHED", "dateUpdated": "2026-04-27T15:58:19.288Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter."}], "id": "CVE-2026-30352", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T16:16:43.597", "references": [{"source": "cve@mitre.org", "url": "http://autocoder.com"}, {"source": "cve@mitre.org", "url": "http://leonvanzyl.com"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/syphonetic/e3bdee6c022b36d5ecb98fbf61284931"}, {"source": "cve@mitre.org", "url": "https://github.com/leonvanzyl/autocoder"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "79d02a"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "autocoder", "vendor": "leonvanzyl"}], "analysis": {"en": {"generated_at": "2026-04-28T04:59:03.214191+00:00", "value": {"mitigation_remediation": ["Upgrade to a newer commit of the autocoder that removes the vulnerable command handling logic", "If an upgrade is not feasible, restrict network access to the /devserver/start endpoint to trusted hosts only", "Implement server\u2011side input validation to reject or escape untrusted command parameters, mitigating the command\u2011injection risk"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects installations running the leonvanzyl autocoder at commit 79d02a. No other versions or vendor products are listed, so the impact is confined to systems using that exact codebase.", "description_and_impact": "A command injection flaw exists in the /devserver/start endpoint of the leonvanzyl autocoder. An attacker who can send a request to this endpoint can supply a specially crafted command parameter that the server will execute directly, leading to arbitrary code execution. This vulnerability corresponds to CWE\u201177 and enables an attacker to run whatever system commands they choose, potentially compromising the entire host.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, and although the EPSS score is not available, the lack of a KEV listing does not diminish the immediate risk. The attack can be performed remotely by sending an HTTP request with a malicious command parameter to the vulnerable endpoint, assuming the service is reachable from the network. Because the flaw allows execution of arbitrary commands, the attack surface is large and an exploit would likely succeed if the endpoint is publicly exposed."}}}}, "created": "2026-04-28T05:00:14.755977+00:00", "updated": "2026-04-28T09:17:33.070206+00:00", "vendors": ["leonvanzyl", "leonvanzyl$PRODUCT$autocoder"]}