CVE-2026-28801
Published: 06 March 2026
Summary
CVE-2026-28801 is a medium-severity Code Injection (CWE-94) vulnerability in Natroteam Natro Macro. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique AutoHotKey & AutoIT (T1059.010); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables arbitrary AutoHotkey code execution from unvalidated user-supplied files (T1059.010) and requires a user to load the malicious file for exploitation (T1204.002).
NVD Description
Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is executed by the macro. Since users commonly share path/pattern files, an attacker…
more
could share a file containing malicious code, which is then executed by the program. This code can operate in silence alongside the pattern, running in the background to do whatever the attacker pleases. This issue has been patched in version 1.1.0.
Deeper analysisAI
CVE-2026-28801 is a code injection vulnerability (CWE-94) affecting Natro Macro, an open-source AutoHotkey-based macro for the Bee Swarm Simulator game. In versions prior to 1.1.0, the software executes arbitrary AutoHotkey (AHK) code embedded within user-supplied pattern or path files. This flaw arises because the macro directly interprets and runs AHK scripts from these files without validation, enabling unintended code execution. The vulnerability carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability by crafting and sharing a malicious pattern or path file containing hidden AHK code, leveraging the common practice of users exchanging such files within the Bee Swarm Simulator community. Exploitation requires local access to the victim's system, low privileges, and user interaction to load the file into Natro Macro. Successful exploitation allows the malicious code to execute silently in the background alongside legitimate macro functionality, potentially granting the attacker high-impact access to confidentiality and integrity, such as stealing data, modifying files, or performing other arbitrary actions without affecting availability.
The GitHub security advisory at https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-c5gm-vfvf-pwhx confirms the issue and states that it has been fully addressed in Natro Macro version 1.1.0, recommending that users upgrade immediately to mitigate the risk. No additional workarounds are detailed in the provided information.
Details
- CWE(s)