CVE-2026-30303

Name of the Vulnerable Software and Affected Versions Axon Code (affected versions not specified)

Description The command auto-approval module contains an OS Command Injection issue, bypassing its whitelist security mechanism. This is due to the use of an incompatible command parser (the Unix-based shell-quote library) on the Windows platform and a failure to correctly handle Windows CMD-specific escape sequences (^). An attacker can exploit this by crafting payloads such as git log ^" & malicious command ^", deceiving the parser and causing the Windows CMD interpreter to execute the malicious command, leading to arbitrary Remote Code Execution (RCE). The parser incorrectly interprets the malicious command connector (&) as being within a protected string argument.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.