CVE-2026-30313

Name of the Vulnerable Software and Affected Versions DSAI-Cline (affected versions not specified)

Description The command auto-approval module in DSAI-Cline has a critical operating system command injection flaw. The security mechanism, which uses a whitelist, is ineffective because the system validates commands using string-based parsing. While dangerous operators like semicolons (;), double ampersands (&&), double pipes (||), pipes (|), and command substitution patterns are intercepted, raw newline characters embedded within the input are not considered. An attacker can embed a newline character between a whitelisted command and malicious code (for example, git log malicious command), causing DSAI-Cline to incorrectly identify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, leading to Remote Code Execution without any user interaction.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.