CVE-2026-30312

Name of the Vulnerable Software and Affected Versions DSAI-Cline (affected versions not specified)

Description The command auto-approval module in DSAI-Cline has a critical OS command injection issue that bypasses its whitelist security. The system uses string-based parsing for command validation, blocking operators like ;, &&, ||, |, and command substitution, but it does not handle newline characters within the input. An attacker can embed a newline character between a permitted command and malicious code (for example, git log malicious command). DSAI-Cline incorrectly identifies this as a safe operation and automatically approves it. The PowerShell interpreter then executes both commands sequentially, leading to Remote Code Execution without user interaction.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.