CVE-2026-25933— Arduino App Lab has Improper Data Validation in Internal Terminal Interface
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25933
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arduino App Lab has Improper Data Validation in Internal Terminal Interface
Source: NVD (National Vulnerability Database)
Vulnerability Description
Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, specifically in the _info.Serial and _info.Address metadata fields. The problem occurs during device information handling. When a board is connected, the application collects identifying attributes to establish a terminal session. Because strict validation is not enforced for the Serial and Address parameters, an attacker with control over the connected hardware can supply specially crafted strings containing shell metacharacters. The exploitation requires direct physical access to a previously tampered board. When the host system processes these fields, any injected payload is executed with the privileges of the user running arduino-app-lab. This vulnerability is fixed in 0.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Arduino App Lab 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Arduino App Lab是Arduino开源的一个用于开发Arduino应用程序的集成开发环境。 Arduino App Lab 0.4.0之前版本存在操作系统命令注入漏洞,该漏洞源于终端组件对来自硬件设备的输入数据清理和验证不足,可能导致执行包含shell元字符的特制字符串。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| arduino | arduino-app-lab | < 0.4.0 | - |
II. Public POCs for CVE-2026-25933
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25933
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: arduino
- CVE-2025-69209
ArduinoCore-avr has Stack-Based Buffer Overflow in WString F - CVE-2025-64724
Arduino IDE for macOS has Insecure File Permissions - CVE-2025-64723
Arduino IDE for macOS has TCC Bypass via Dynamic Library Inj - CVE-2025-27608
Self Cross-Site Scripting in Arduino IDE - CVE-2023-49296
Arduino Create Agent vulnerable to Reflected Cross-Site Scri
Same weakness: CWE-78
- CVE-2026-8273
D-Link DNS-320 system_mgr.cgi cgi_merge_user os command inje - CVE-2026-8272
D-Link DNS-320 webfile_mgr.cgi chown os command injection - CVE-2026-8271
D-Link DNS-320 network_mgr.cgi cgi_upnp_edit os command inje - CVE-2026-8265
Tenda AC6 httpd getLogFile get_log_file os command injection - CVE-2026-8264
Tenda AC6 httpd WifiApScan formWifiApScan os command injecti
V. Comments for CVE-2026-25933
No comments yet