CVE-2023-26107

Summary

All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.

Affected Software

VendorProductVersion RangeStatus
n/asketchsvg0 < *affected

Weaknesses

  • CWE-94: Arbitrary Code Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References