Bron1E

**Name of the Vulnerable Software and Affected Versions** Clash Verge versions through 2.2.3 **Description** The software installs system services (`clash-verge-service`) by default and exposes functions through an unauthorized HTTP API. Specifically, the `/start clash` API endpoint allows local users to submit arbitrary `bin path` parameters. These parameters are directly passed to the service process for execution, potentially leading to local privilege escalation. **Recommendations** Update to a version beyond 2.2.3.