CVE-2026-30302

Name of the Vulnerable Software and Affected Versions CodeRider-Kilo (affected versions not specified)

Description A flaw exists in the command auto-approval module of CodeRider-Kilo that bypasses its whitelist security mechanism, leading to a potential OS Command Injection. This is due to the use of a Unix-based command parser (shell-quote library) on the Windows platform and a failure to correctly handle Windows CMD-specific escape sequences (^). An attacker can craft a payload, such as git log ^" & malicious command ^", to exploit this discrepancy. The parser incorrectly interprets the malicious command connector (&) as being within a protected string, while the Windows CMD interpreter executes the subsequent malicious command, resulting in arbitrary Remote Code Execution (RCE). The vulnerable component utilizes the git log command.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.