Strix
26.1K

CVE-2026-33310

HIGHCVSS 8.8/10EPSS 0.43%

Last modified

CVE-2026-33310 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. EPSS estimates a 0.43% chance of exploitation in the next 30 days.

Description

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability
0.43%

34.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
IntakeIntake< 2.0.9

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-33310?
Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.
How severe is CVE-2026-33310?
CVE-2026-33310 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.
How do I fix CVE-2026-33310?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-33310?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST