CVE-2026-33310

Published: Mar 24, 2026

Modified: Mar 24, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

Vendor	Product	Versions
intake	intake	affected `< 2.0.9`

Weaknesses (CWE)

CWE-78

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99

x_refsource_CONFIRM

https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33310

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References