Cyber Resilience

CVE-2026-10219

Medium

Published: 01 June 2026

Published
01 June 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0134 67.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-10219 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability identified as CVE-2026-10219 exists in nextlevelbuilder GoClaw up to version 3.11.3. It is located in the FsBridge.WriteFile function of the file internal/sandbox/fsbridge.go within the write_file Tool component and stems from improper handling that permits operating system command injection, corresponding to CWE-77 and CWE-78.

The flaw can be exploited remotely by an unauthenticated attacker who supplies crafted input to the affected function, resulting in command execution with limited effects on confidentiality, integrity, and availability per the CVSS 5.5 rating. Public exploit code for the issue has already been released.

References point to an open pull request in the GoClaw repository that is intended to resolve the command injection but has not yet been accepted.

The associated EPSS score remains at 0.0176 with no material change from its recorded peak.

EU & UK References

Vulnerability details

A vulnerability was found in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. The attack is possible to be carried out…

more

remotely. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-5352Shared CWE-77, CWE-78
CVE-2026-7037Shared CWE-77, CWE-78
CVE-2025-1339Shared CWE-77, CWE-78
CVE-2026-8229Shared CWE-77, CWE-78
CVE-2026-5688Shared CWE-77, CWE-78
CVE-2026-9404Shared CWE-77, CWE-78
CVE-2026-2544Shared CWE-77, CWE-78
CVE-2026-48694Shared CWE-77, CWE-78
CVE-2025-8825Shared CWE-77, CWE-78
CVE-2025-3002Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References