Cyber Resilience

CVE-2026-30306

CriticalRCE

Published: 30 March 2026

Published
30 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0068 47.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30306 is a critical-severity Code Injection (CWE-94) vulnerability in Rahmanazhar Sakadev. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-30306 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting SakaDev, a Visual Studio Code extension for terminal command execution. The flaw resides in SakaDev's design for automatic command execution, which provides two options: "Execute safe commands" and "execute all commands." In safe mode, an LLM model classifies commands as safe for automatic execution or potentially destructive, requiring user approval. This mechanism is susceptible to prompt injection attacks (CWE-94), allowing attackers to bypass safety checks.

A remote attacker can exploit this vulnerability without authentication or user interaction by crafting a generic prompt template that wraps arbitrary malicious commands. The injected prompt misleads the LLM into misclassifying the payload as safe, enabling automatic execution and resulting in full arbitrary command execution on the victim's system, with high impact on confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisories, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/4 and the extension listing at https://marketplace.visualstudio.com/items?itemName=rahmanazhar.saka-dev.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In its design for automatic terminal command execution, SakaDev offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if…

more

the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The CVE describes unauthenticated remote exploitation of a VS Code extension (client application) via prompt injection to bypass LLM safety checks, directly resulting in arbitrary terminal command execution on the victim host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54063Shared CWE-94
CVE-2026-34060Shared CWE-94
CVE-2025-55733Shared CWE-94
CVE-2026-41282Shared CWE-94
CVE-2025-67744Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2026-41137Shared CWE-94
CVE-2026-30308Shared CWE-94
CVE-2026-31233Shared CWE-94
CVE-2026-22793Shared CWE-94

Affected Assets

rahmanazhar
sakadev
≤ 4.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of inputs to the LLM command classifier, directly preventing prompt injection attacks that mislead the model into approving arbitrary malicious commands as safe.

prevent

AC-3 enforces access control policies for terminal command execution, providing a mechanism to require additional verification beyond the vulnerable LLM classification.

prevent

AC-6 applies least privilege to limit the impact of arbitrary command execution by restricting the privileges available to the VS Code extension and executed commands.

References