QSearchQSearch

CVE-2021-41088

8.0 HIGH

Elvish is a programming language and interactive shell, combined into one package

Published: 2021-09-23 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.0 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
CWE-346, CWE-668

Affected products

VendorProduct
elvelvish

Description

Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward no longer include the the web UI, although it is still possible for the user to build a version from source that includes the web UI. The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-12304 Same-origin policy bypass in the Networking: Cookies component (9.1 CRITICAL)
  • CVE-2026-47825 Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios (8.6 HIGH)
  • CVE-2026-9595 Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g (5.3 MEDIUM)
  • CVE-2026-11624 The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent...
  • CVE-2026-53826 OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace ... (4.3 MEDIUM)