{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39862", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.379Z", "datePublished": "2026-04-08T19:50:05.156Z", "dateUpdated": "2026-04-09T16:17:23.139Z"}, "containers": {"cna": {"title": "Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2"}, {"name": "https://github.com/Shopify/tophat/pull/139", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/tophat/pull/139"}], "affected": [{"vendor": "Shopify", "product": "tophat", "versions": [{"version": "< 2.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:50:05.156Z"}, "descriptions": [{"lang": "en", "value": "Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1."}], "source": {"advisory": "GHSA-8x8g-6rv5-mgg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:58:24.111452Z", "id": "CVE-2026-39862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:23.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link", "source": {"advisory": "GHSA-8x8g-6rv5-mgg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Shopify", "product": "tophat", "versions": [{"status": "affected", "version": "< 2.5.1"}]}], "references": [{"url": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2", "name": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Shopify/tophat/pull/139", "name": "https://github.com/Shopify/tophat/pull/139", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:50:05.156Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:58:24.111452Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T14:58:28.584Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-39862", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:50:05.156Z", "dateReserved": "2026-04-07T19:13:20.379Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T19:50:05.156Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopify:tophat:*:*:*:*:*:*:*:*", "matchCriteriaId": "A736EDA9-28AE-4C16-90E9-618F58822505", "versionEndExcluding": "2.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1."}], "id": "CVE-2026-39862", "lastModified": "2026-04-20T14:39:51.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T20:16:26.403", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Shopify/tophat/pull/139"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tophat", "source": "cna", "vendor": "Shopify"}, "product": "tophat", "vendor": "shopify"}], "analysis": {"en": {"generated_at": "2026-04-08T23:14:58.785349+00:00", "value": {"mitigation_remediation": ["Update to Shopify Tophat version\u00a02.5.1 or newer, which removes the vulnerable URL parsing.", "Avoid clicking or opening any tophat:// or http://localhost:29070 URLs on machines running Tophat.", "If Tophat is not required, disable or firewall the local service on port\u00a029070."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Developers using Shopify Tophat versions older than 2.5.1 on macOS are affected. The vulnerability is triggered by specially crafted tophat:// or http://localhost:29070 URLs accessed from a web browser. No confirmation dialog appears for previously trusted build hosts, and the local service listening on port\u00a029070 accepts requests from any user\u2019s browser. All installations of Tophat before the 2.5.1 release are susceptible.", "description_and_impact": "A flaw in Shopify Tophat allows an attacker to inject shell commands through query parameters that are forwarded to /bin/bash\u00a0-c during URL parsing. The unsanitized input can trigger arbitrary code execution on a developer's macOS workstation while using any user\u2011level privileges. The weakness is a classic command injection (CWE\u201178).", "risk_and_exploitability": "The CVSS score of 6.3 indicates medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to supply a malicious link that a developer opens in a browser, which then contacts the local Tophat service and causes unsafe command execution. Based on the description, this is not a direct external network exploitation, but it can be abused through social engineering or phishing. The impact is that executed commands run with the user's permissions, potentially allowing a compromise of the development machine."}}}}, "created": "2026-04-09T08:18:11.276902+00:00", "updated": "2026-04-09T08:27:33.642232+00:00", "vendors": ["shopify", "shopify$PRODUCT$tophat"]}