Cyber Resilience

CVE-2026-45369

HighRCE

Published: 14 May 2026

Published
14 May 2026
Modified
16 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0027 18.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45369 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique PowerShell (T1059.001); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe…

more

-Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct OS command injection into bash/powershell via unsanitized user input (CWE-78).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55590Shared CWE-78
CVE-2026-45629Shared CWE-78
CVE-2026-45630Shared CWE-78
CVE-2025-34227Shared CWE-78
CVE-2026-1460Shared CWE-78
CVE-2025-22606Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2026-31386Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References