CVE-2026-30310
Published: 31 March 2026
Summary
CVE-2026-30310 is a critical-severity Command Injection (CWE-77) vulnerability in Trysixth (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30310, published on 2026-03-31, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Sixth, a tool for automatic terminal command execution. Sixth provides two modes: "Execute safe commands," where an AI model classifies commands as safe for automatic execution or flags potentially destructive ones for user approval, and "Execute all commands." The flaw arises from the safe mode's design being highly susceptible to prompt injection attacks (CWE-77: Command Injection), allowing attackers to manipulate the model's judgment.
Any remote attacker can exploit this vulnerability without privileges or user interaction by using a generic template to wrap arbitrary malicious commands in input prompts. This misleads the model into misclassifying the payload as safe, bypassing the user approval requirement and enabling arbitrary command execution on the target system with full confidentiality, integrity, and availability impact.
Mitigation details are available in advisories referenced at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/12 and https://trysixth.com/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17410
Vulnerability details
In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if…
more
the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated prompt injection (CWE-77) directly enables arbitrary Unix shell command execution by bypassing the AI safety classifier in a publicly accessible tool.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates and sanitizes user prompts prior to AI model processing to block prompt injection attacks that trick the model into classifying malicious commands as safe.
Restricts the system to least functionality by disabling or hardening the vulnerable AI-based 'safe commands' auto-execution mode.
Enforces least privilege on the command execution context to limit the scope and impact of arbitrary commands executed via prompt injection.