CVE-2026-10214
HIGHzhayujie chatgpt-on-wechat Bash Tool bash.py _get_safety_warning os command injection
Title source: cnaDescription
A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-367493 | zhayujie chatgpt-on-wechat Bash Tool bash.py _get_safety_warning os command injection
https://vuldb.com/vuln/367493
Signature, Permissions Required signature
permissions-required
VDB-367493 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/367493/cti
Third Party Advisory third-party-advisory
CVE-2026-10214 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-10214
Third Party Advisory third-party-advisory
Submit #821929 | zhayujie chatgpt-on-wechat <= 2.0.7 OS Command Injection (CWE-78)
https://vuldb.com/submit/821929
Exploit exploit
issue-tracking
https://github.com/zhayujie/CowAgent/issues/2803
Scores
CVSS v3
7.3
EPSS
0.0134
EPSS Percentile
67.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (10)
zhayujie/chatgpt-on-wechat
2.0.0
zhayujie/chatgpt-on-wechat
2.0.1
zhayujie/chatgpt-on-wechat
2.0.2
zhayujie/chatgpt-on-wechat
2.0.3
zhayujie/chatgpt-on-wechat
2.0.4
zhayujie/chatgpt-on-wechat
2.0.5
zhayujie/chatgpt-on-wechat
2.0.6
zhayujie/chatgpt-on-wechat
2.0.7
zhayujie/chatgpt-on-wechat
2.0.8
zhayujie/chatgpt-on-wechat
2.0.9
Published
Jun 01, 2026
Tracked Since
Jun 01, 2026