CVE-2026-30314

Name of the Vulnerable Software and Affected Versions Ridvay Code (affected versions not specified)

Description The command auto-approval module contains a critical OS command injection issue that bypasses its whitelist security mechanism. The system uses regular expressions to parse commands, but these expressions are insufficient to prevent exploitation through Shell command substitution using $(...) and backticks (...). An attacker can inject malicious code within arguments, such as in a git log --grep="$(malicious command)" command, which the system incorrectly identifies as safe. This allows for Remote Code Execution without user interaction. The git log API endpoint is vulnerable, specifically with the grep parameter. The vulnerable variable is malicious command.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.