Command Injection Affecting zen-ai-pentest package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-ZENAIPENTEST-15797955
- published28 Mar 2026
- disclosed20 Mar 2026
- creditnekros1xx
Introduced: 20 Mar 2026
CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
zen-ai-pentest is an Advanced AI-Powered Penetration Testing Framework with Multi-Agent Orchestration
Affected versions of this package are vulnerable to Command Injection via the Prepare Notification process in the GitHub Actions workflow. An attacker can execute arbitrary shell commands on the workflow runner by crafting a malicious issue title containing subshell expressions, which are interpolated and executed during variable assignment. This enables exfiltration of sensitive secrets, such as the Discord webhook URL, and allows the attacker to impersonate the bot or post unauthorized messages.