From cf6946769cbd82df9eb7501cf3094cd1709b9f50 Mon Sep 17 00:00:00 2001
From: Stalin <161853795+0x5t4l1n@users.noreply.github.com>
Date: Tue, 12 May 2026 18:30:04 +0530
Subject: [PATCH] Create CVE-2026-45152.md

---
 reported/CVE-2026-45152.md | 80 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 reported/CVE-2026-45152.md

diff --git a/reported/CVE-2026-45152.md b/reported/CVE-2026-45152.md
new file mode 100644
index 0000000..ff3dd60
--- /dev/null
+++ b/reported/CVE-2026-45152.md
@@ -0,0 +1,80 @@
+![CVE](https://img.shields.io/badge/CVE-2026--45152-red)
+
+# CVE-2026-45152 — uniget Command Injection via Unsafe `tool.Check` Execution
+
+> CVE-2026-45152 has been officially published by GitHub Security Advisories.
+
+## Overview
+
+A command injection vulnerability exists in uniget due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. Because the `check` field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system.
+
+**CVE ID:** CVE-2026-45152
+
+**Affected Version:** uniget CLI ≤ 0.27.0
+
+**Fixed In:** uniget CLI 0.27.1
+
+**Severity:** High
+
+**CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
+
+---
+
+## Description
+
+The vulnerability exists in the `RunVersionCheck()` function, where uniget executes the `tool.Check` field using `/bin/bash -c`.
+
+Because metadata files are parsed directly into the `Tool` structure using `json.Unmarshal()`, attacker-controlled input can reach the shell execution sink without validation.
+
+The following vulnerable pattern was identified:
+
+```go
+cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'")
+```
+
+Since `/bin/bash -c` interprets shell metacharacters such as `;`, `&&`, `|`, `$()`, and backticks, arbitrary shell commands may be injected and executed.
+
+---
+
+## Impact
+
+An attacker processing malicious metadata may be able to:
+
+* Execute arbitrary shell commands
+* Exfiltrate sensitive files or environment variables
+* Install malware or backdoors
+* Modify or delete accessible files
+* Establish persistence on the victim machine
+* Compromise CI/CD environments using uniget automation
+
+Commands execute with the privileges of the user running uniget.
+
+---
+
+## Preconditions
+
+* The victim must process attacker-controlled metadata files.
+* The vulnerable uniget version must invoke the `tool.Check` field through `/bin/bash -c`.
+* The attacker must be able to supply malicious metadata containing shell metacharacters.
+
+---
+
+## Workarounds
+
+* Avoid using `/bin/bash -c` with untrusted input.
+* Sanitize or strictly validate metadata fields before execution.
+* Execute fixed binaries and arguments directly without invoking a shell.
+* Run uniget in isolated or low-privilege environments when processing untrusted metadata.
+
+---
+
+## References
+
+* https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5
+
+---
+
+## Discoverer
+
+**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))
+