Command Injection Affecting caffeinated-whale-cli package, versions [,0.14.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-CAFFEINATEDWHALECLI-14172735
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade caffeinated-whale-cli to version 0.14.0 or higher.
Overview
caffeinated-whale-cli is an A CLI tool to help manage Frappe Docker instances.
Affected versions of this package are vulnerable to Command Injection due to improper validation and sanitization of user-supplied site names and bench path inputs in the unlock command. The command constructs shell calls using these values without neutralizing shell metacharacters. An attacker can exploit this by providing crafted input containing characters such as ;, &, |, or $ to execute arbitrary system commands with the privileges of the running process.