Cyber Resilience

CVE-2026-30310

CriticalRCE

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30310 is a critical-severity Command Injection (CWE-77) vulnerability in Trysixth (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30310, published on 2026-03-31, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Sixth, a tool for automatic terminal command execution. Sixth provides two modes: "Execute safe commands," where an AI model classifies commands as safe for automatic execution or flags potentially destructive ones for user approval, and "Execute all commands." The flaw arises from the safe mode's design being highly susceptible to prompt injection attacks (CWE-77: Command Injection), allowing attackers to manipulate the model's judgment.

Any remote attacker can exploit this vulnerability without privileges or user interaction by using a generic template to wrap arbitrary malicious commands in input prompts. This misleads the model into misclassifying the payload as safe, bypassing the user approval requirement and enabling arbitrary command execution on the target system with full confidentiality, integrity, and availability impact.

Mitigation details are available in advisories referenced at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/12 and https://trysixth.com/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if…

more

the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote unauthenticated prompt injection (CWE-77) directly enables arbitrary Unix shell command execution by bypassing the AI safety classifier in a publicly accessible tool.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61489Shared CWE-77
CVE-2024-8156Shared CWE-77
CVE-2026-7446Shared CWE-77
CVE-2024-57590Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2024-39765Shared CWE-77
CVE-2025-29635Shared CWE-77
CVE-2024-39782Shared CWE-77
CVE-2024-13871Shared CWE-77

Affected Assets

Trysixth
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates and sanitizes user prompts prior to AI model processing to block prompt injection attacks that trick the model into classifying malicious commands as safe.

prevent

Restricts the system to least functionality by disabling or hardening the vulnerable AI-based 'safe commands' auto-execution mode.

prevent

Enforces least privilege on the command execution context to limit the scope and impact of arbitrary commands executed via prompt injection.

References