CVE-2026-45152

Name of the Vulnerable Software and Affected Versions uniget versions prior to 0.27.1

Description A command injection issue exists in uniget, a universal installer and updater for container tools. The problem occurs because the check field from JSON metadata files is loaded and executed using /bin/bash -c without proper validation or sanitization. An attacker can craft malicious metadata to execute arbitrary shell commands with the privileges of the user running the software when performing operations such as describe, install, update, or inspect. This is specifically triggered within the RunVersionCheck() function, where the tool.Check variable is passed directly to the shell, allowing shell metacharacters to be interpreted.

Recommendations Update to version 0.27.1. As a temporary workaround, avoid using metadata files from untrusted sources to prevent the execution of malicious commands via the check field.