PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8235 Vuldb CVE debrief

CVE-2026-8235 is an OS command injection issue in 8421bit MiniClaw’s System Command Handler, affecting resolveSkillScriptPath in src/kernel.ts. The supplied record ties the fix to commit 223c16a1088e138838dcbd18cd65a37c35ac5a84 and notes that a public exploit is available, so affected deployments should patch and review the command-handling path promptly.

Vendor
Vuldb
Product
Unknown
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Anyone operating or maintaining 8421bit MiniClaw 0.8.0/0.9.0, especially teams that process user-controlled skill scripts or run the application in environments where command execution would have elevated impact.

Technical summary

The record describes a command-injection flaw in resolveSkillScriptPath within src/kernel.ts and classifies it with CWE-77 and CWE-78. NVD metadata shows a CVSS v4.0 vector with low privileges and no user interaction required, but the attack impact still centers on command injection in a system command handling path. The referenced repository commit appears to be the corrective change, so that code path should be treated as tainted until the patch is verified in the deployed build.

Defensive priority

High for any exposed or script-processing deployment, even though the listed CVSS severity is Low. Command-injection flaws can become materially important when the affected process has sensitive filesystem or execution privileges, so patching and code review should be prioritized.

Recommended defensive actions

  • Apply the referenced fix commit 223c16a1088e138838dcbd18cd65a37c35ac5a84 or an upstream release that includes it.
  • Verify whether your deployment actually includes MiniClaw 0.8.0 or 0.9.0, including forks and vendored copies.
  • Review src/kernel.ts resolveSkillScriptPath and any related command-building logic for unsafe concatenation or insufficient validation.
  • Reduce exposure by limiting who can supply or edit skill scripts and by running the application with the least privilege needed.
  • Inspect logs and telemetry for unexpected command invocation patterns or abnormal path values near the affected handler.
  • If immediate patching is not possible, isolate affected systems and minimize network and operational exposure until remediation is complete.

Evidence notes

The supplied CVE/NVD record is dated 2026-05-10 and references the MiniClaw GitHub repository, the corrective commit 223c16a1088e138838dcbd18cd65a37c35ac5a84, an issue, and a pull request. The record also lists CWE-77 and CWE-78 as the primary weakness classifications. Vendor/product mapping in the source is incomplete, so deployment-specific verification is recommended.

Official resources

Published in the supplied record on 2026-05-10. The source metadata comes from VulDB and was ingested by NVD with status 'Received'; the vendor confidence is low and the product field is not populated in the supplied vendor block. No KEV or