CVE-2026-54555 is a high-severity vulnerability in rtk that allows command execution. The vulnerability exists in rtk filters and compresses command outputs before they reach the LLM context. Prior to version 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. This allows a command beginning w [truncated]
The @rtk-ai/rtk-rewrite OpenClaw plugin, version 1.0.0, is vulnerable to arbitrary OS command execution. The plugin fails to properly escape attacker-controlled input when passing it to a shell-backed execSync() template string. This allows an attacker to inject and execute arbitrary OS commands with the privileges of the plugin/gateway process. The vulnerability is rated as MEDIUM with a CVSS score of 6. [truncated]
