CVE-2026-45369

Name of the Vulnerable Software and Affected Versions python-utcp versions prior to 1.1.3

Description The substitute utcp args method in cli communication protocol.py inserts user-controlled tool args values directly into shell command strings without sanitization or escaping. These commands are executed via /bin/bash -c on Unix or powershell.exe -Command on Windows, allowing an unauthenticated attacker to inject shell metacharacters such as ;, |, &, backticks, and $() to achieve remote code execution on the host system.

Recommendations Update to version 1.1.3 or newer. As a temporary workaround, refuse all attacker-controlled tool args.