CVE-2026-30309

Name of the Vulnerable Software and Affected Versions InfCode (affected versions not specified)

Description The terminal auto-execution module in InfCode has a critical command filtering issue that makes its blacklist ineffective. The blacklist does not include native high-risk commands in Windows PowerShell, such as powershell. The matching algorithm cannot recognize string concatenation, variable assignment, or double-quote interpolation in Shell syntax, preventing dynamic semantic parsing. Attackers can bypass interception using simple syntax obfuscation. A malicious file containing instructions for remote code injection can be created. When a user imports and views this file in the IDE, the Agent executes dangerous PowerShell commands outside the blacklist without user confirmation, potentially leading to arbitrary command execution or sensitive data leakage.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.