CVE-2026-30305

Name of the Vulnerable Software and Affected Versions Syntx (affected versions not specified)

Description The command auto-approval module contains a critical OS command injection issue that bypasses its whitelist security mechanism. The system uses weak regular expressions to parse command structures and fails to account for Shell command substitution syntax, specifically $(...) and backticks (...). An attacker can craft a command, such as git log --grep="$(malicious command)", which is incorrectly identified as a safe git operation and automatically approved. The underlying Shell then prioritizes the execution of the injected malicious code, leading to Remote Code Execution without user interaction. The git log command utilizes the API endpoint /git/log and the vulnerable parameter grep which accepts the malicious command variable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.