CVE-2026-30306
Published: 30 March 2026
Summary
CVE-2026-30306 is a critical-severity Code Injection (CWE-94) vulnerability in Rahmanazhar Sakadev. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of inputs to the LLM command classifier, directly preventing prompt injection attacks that mislead the model into approving arbitrary malicious commands as safe.
AC-3 enforces access control policies for terminal command execution, providing a mechanism to require additional verification beyond the vulnerable LLM classification.
AC-6 applies least privilege to limit the impact of arbitrary command execution by restricting the privileges available to the VS Code extension and executed commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote exploitation of a VS Code extension (client application) via prompt injection to bypass LLM safety checks, directly resulting in arbitrary terminal command execution on the victim host.
NVD Description
In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if…
more
the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
Deeper analysisAI
CVE-2026-30306 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting SakaDev, a Visual Studio Code extension for terminal command execution. The flaw resides in SakaDev's design for automatic command execution, which provides two options: "Execute safe commands" and "execute all commands." In safe mode, an LLM model classifies commands as safe for automatic execution or potentially destructive, requiring user approval. This mechanism is susceptible to prompt injection attacks (CWE-94), allowing attackers to bypass safety checks.
A remote attacker can exploit this vulnerability without authentication or user interaction by crafting a generic prompt template that wraps arbitrary malicious commands. The injected prompt misleads the LLM into misclassifying the payload as safe, enabling automatic execution and resulting in full arbitrary command execution on the victim's system, with high impact on confidentiality, integrity, and availability.
Mitigation details are available in the referenced advisories, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4 and the extension listing at https://marketplace.visualstudio.com/items?itemName=rahmanazhar.saka-dev.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection