Skip to content

[Security] CVE-2026-56413: Command injection in readline_shell.py:655 #213

Description

@poliakarmai

Severity: CRITICAL
Detected by: GSC (Git Security Checker) automated scan
File: xonsh/readline_shell.py:655

Description: The code passes unsanitized user input to a shell command, enabling command injection. An attacker could execute arbitrary commands on the host system.

Mitigation: Use subprocess.run() with shell=False and pass arguments as a list, or sanitize input with shlex.quote().


Found during automated security audit of gitsome (⭐7,675).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions