Command Injection Vulnerability in Uniget Universal Installer for Container Tools
CVE-2026-45152

7.8HIGH

Key Information:

Vendor: Uniget-org
Status: Cli
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45152?

Uniget, a universal installer and updater for container tools, has a command injection vulnerability in versions prior to 0.27.1. This is caused by the unsafe execution of the check field from JSON metadata, which is loaded without proper validation or sanitization. An attacker can exploit this flaw by crafting malicious metadata that, when processed during common operations like describe, install, update, or inspect, can execute arbitrary shell commands on the system running Uniget. This poses a significant risk as the arbitrary code would execute with the privileges of the user running the Uniget application. The vulnerability has been addressed in version 0.27.1.

Affected Version(s)

cli < 0.27.1

References

https://github.com/uniget-org/cli/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45152 Data

JSON

Uniget-org

What is CVE-2026-45152?

Affected Version(s)

References

CVSS V3.1

Timeline