HIGH
@pensar
CVE published 2026-05-27
CVE-2026-36044
A command injection vulnerability exists in @pensar/apex versions 0.0.58 and earlier. The smart_enumerate tool's createSmartEnumerateTool() function in src/core/agent/tools.ts constructs shell commands by concatenating unsanitized values from the extensions array and url parameter, then passes this string to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in these values [truncated]