PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-36044 @pensar CVE debrief

A command injection vulnerability exists in @pensar/apex versions 0.0.58 and earlier. The smart_enumerate tool's createSmartEnumerateTool() function in src/core/agent/tools.ts constructs shell commands by concatenating unsanitized values from the extensions array and url parameter, then passes this string to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in these values are interpreted by the host shell, enabling arbitrary OS command execution with the privileges of the running process. This vulnerability is network-accessible with low attack complexity, requires no privileges, and needs user interaction. The CVSS 3.1 score of 8.8 reflects high impacts to confidentiality, integrity, and availability. The vulnerability was published to NVD on 2026-05-27 with a status of 'Received'. The affected package is distributed via npm.

Vendor
@pensar
Product
apex
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running applications with @pensar/apex ≤0.0.58, particularly those exposing smart_enumerate functionality to untrusted input; security teams monitoring npm supply chain risks; developers building AI agent tools with shell execution capabilities

Technical summary

The vulnerability stems from improper neutralization of special elements used in an OS command (CWE-78). The createSmartEnumerateTool() function builds a shell command string using template literals or concatenation with user-controlled extensions and url values, then executes via child_process.exec(). This pattern is a well-known anti-pattern in Node.js security. The attack vector requires network access and user interaction, suggesting the tool may be triggered through user-supplied input in a web application or API context. Successful exploitation grants the attacker the same OS privileges as the Node.js process, potentially leading to full system compromise depending on deployment configuration.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade @pensar/apex to a version newer than 0.0.58 if available
  • Audit application code for usage of createSmartEnumerateTool() and smart_enumerate functionality
  • Implement input validation and sanitization for extensions array and url parameters before shell command construction
  • Replace child_process.exec() with child_process.execFile() or spawn() with shell:false to avoid shell interpretation
  • Apply principle of least privilege to the Node.js process running the affected package
  • Monitor for suspicious process spawning or network activity from applications using @pensar/apex

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed through source references including npm package registry and security researcher gist. Vendor identification marked as low confidence requiring review—'Unknown Vendor' with candidate evidence pointing to Npmjs as reference domain.

Official resources

2026-05-27