CVE-2026-36044
Published: 27 May 2026
Summary
CVE-2026-36044 is a high-severity OS Command Injection (CWE-78) vulnerability in Npmjs (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
@pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec().…
more
Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. NOTE: this is disputed by the Supplier because the report is about intended behavior, as explained in the Security Policy of the pensarai/apex GitHub repo.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection via unsanitized input to child_process.exec() enables arbitrary Unix shell command execution (T1059.004); the high-severity network-reachable package flaw also maps to exploitation of public-facing apps (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.