CVE-2026-7551HIGH 8.8EPSS p46.2%

CVE-2026-7551CVE-2026-7551

Description

HKUDS OpenHarness contains a remote code execution vulnerability in the /bridge slash command that allows remote senders accepted by configuration to execute arbitrary operating system commands. Attackers can invoke the /bridge spawn command with attacker-controlled command text that is forwarded to the bridge session manager and executed through the shared shell subprocess helper, allowing them to spawn shell sessions as the OpenHarness process user and access local files, credentials, workspace state, and repository contents.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.65% probability of exploitation · percentile 46.2% · 2026-06-18T12:00:27Z
Published2026-04-30
Last modified2026-05-04

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/HKUDS/OpenHarness/commit/438e37309778e19060dfe7b172eb142e543c4cd6
  2. https://github.com/HKUDS/OpenHarness/pull/208
  3. https://www.vulncheck.com/advisories/hkuds-openharness-remote-command-execution-via-bridge-slash-command

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6823
CVE
CVE-2026-6819
CVE
CVE-2026-40502
CVE
CVE-2025-6542
CVE
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
CVE
CVE-2025-7451
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.