CVE-2026-3964— OpenAkita Chat API Endpoint shell.py run os command injection

CVSS 5.3 · Medium EPSS 0.45% · P64 Updated Mar 12, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-3964

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

OpenAkita Chat API Endpoint shell.py run os command injection

Source: NVD (National Vulnerability Database)

Vulnerability Description

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

OpenAkita 操作系统命令注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

OpenAkita是OpenAkita个人开发者的一个多平台多智能体协作AI助手。 OpenAkita 1.24.3及之前版本存在操作系统命令注入漏洞，该漏洞源于对组件Chat API Endpoint中文件src/openakita/tools/shell.py函数run参数Message的错误操作，可能导致os命令注入。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	OpenAkita	1.24.0	-

II. Public POCs for CVE-2026-3964

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-3964

请登录查看更多情报信息。

Same Patch Batch · n/a · 2026-03-11 · 20 CVEs total

CVE-2026-3955	6.3 MEDIUM	elecV2P jsfile Endpoint wbjs.js runJSFile code injection
CVE-2026-3884	6.1 MEDIUM	spin.js 安全漏洞
CVE-2026-3946	3.5 LOW	PHPEMS index.php cross site scripting
CVE-2025-67037		Lantronix EDS5000 安全漏洞
CVE-2025-70041		ThermaKube 安全漏洞
CVE-2025-70024		generatedata 安全漏洞
CVE-2025-66956		Asseco SEE Live 安全漏洞
CVE-2025-70082		Lantronix EDS3000PS 安全漏洞
CVE-2025-68623		Microsoft DirectX End-User Runtime Web Installer 安全漏洞
CVE-2025-67039		Lantronix EDS3000PS 安全漏洞
CVE-2025-70027		sunbird-portal 安全漏洞
CVE-2025-67036		Lantronix EDS5000 安全漏洞
CVE-2025-67034		Lantronix EDS5000 安全漏洞
CVE-2025-67038		Lantronix EDS5000 安全漏洞
CVE-2025-67035		Lantronix EDS5000 安全漏洞
CVE-2025-67041		Lantronix EDS3000PS 安全漏洞
CVE-2026-30741		OpenClaw 安全漏洞
CVE-2025-67298		ClassroomIO.com 安全漏洞
CVE-2025-70330		Orbis Easy Grade Pro 安全漏洞

IV. Related Vulnerabilities

Same vendor: n/a

Same weakness: CWE-78

V. Comments for CVE-2026-3964

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-3964— OpenAkita Chat API Endpoint shell.py run os command injection

I. Basic Information for CVE-2026-3964

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-3964

III. Intelligence Information for CVE-2026-3964

Same Patch Batch · n/a · 2026-03-11 · 20 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-3964

Leave a comment