CVE-2026-36044
published 2026-05-27CVE-2026-36044: @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.85%
76.5th percentile
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. NOTE: this is disputed by the Supplier because the report is about intended behavior, as explained in the Security Policy of the pensarai/apex GitHub repo.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pensar apex up to 0.0.58 URL Parameter src/core/agent/tools.ts createSmartEnumerateTool os command injection
vuldb·2026-06-07·CVSS 8.8
CVE-2026-36044 [HIGH] pensar apex up to 0.0.58 URL Parameter src/core/agent/tools.ts createSmartEnumerateTool os command injection
A vulnerability was found in pensar apex up to 0.0.58. It has been classified as critical. The impacted element is the function createSmartEnumerateTool of the file src/core/agent/tools.ts of the component URL Parameter Handler. This manipulation causes os command injection.
This vulnerability is registered as CVE-2026-36044. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-r7p8-h82j-w6x6: @pensar/apex <= 0
ghsa_unreviewed·2026-05-27
CVE-2026-36044 [HIGH] GHSA-r7p8-h82j-w6x6: @pensar/apex <= 0
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published