CVE-2026-31246

Name of the Vulnerable Software and Affected Versions GPT-Pilot versions prior to commit 0819827ce20346ef5f25b3fe29293cb448840565

Description Command injection occurs in the Executor.run() method. During project execution, the system accepts free-text input for confirming or modifying commands without proper validation. This input is passed directly to asyncio.create subprocess shell(), allowing an attacker to execute arbitrary shell commands with the privileges of the GPT-Pilot process.

Recommendations Update to a version beyond commit 0819827ce20346ef5f25b3fe29293cb448840565. As a temporary workaround, restrict the use of the Executor.run() method to trusted users only.