CVE-2025-65946HIGH 8.1EPSS p43.3%

CVE-2025-65946CVE-2025-65946

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.3% · 2026-06-18T12:00:27Z
Published2025-11-21
Last modified2025-12-04

Underlying weaknesses· 2

CWE-20CWE-77

References

  1. https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3
  2. https://github.com/RooCodeInc/Roo-Code/pull/7667
  3. https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p

2

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58370
CVE
CVE-2025-57771
CVE
CVE-2025-53536
CVE
CVE-2025-58371
CVE
CVE-2025-58372
CVE
CVE-2025-53098
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.