CVE 9.3 CRITICAL

emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection)_CVE-2026-26068

February 12, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.

AI Analysis

Command injection and remote code execution vulnerability in emp3r0r due to untrusted agent metadata interpolation into tmux shell command strings

Basic Information

ID CVE-2026-26068

Source GitHub_M

Published Feb 12, 2026 at 22:01

Affected Product

Vendor jm33-m0

Product emp3r0r

Version < 3.21.1

Affected Versions jm33-m0 emp3r0r < 3.21.1

CWE Classification

CWE-77 CWE-78

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor jm33-m0

Product emp3r0r

Version < 3.21.1

References

{
    "lastseen": "",
    "description": "emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.",
    "published": "2026-02-12T22:01:23.212Z",
    "modified": "2026-02-12T22:01:23.212Z",
    "type": "cve",
    "title": "emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection)",
    "source": "GitHub_M",
    "references": "https://github.com/jm33-m0/emp3r0r/security/advisories/GHSA-h5p4-4xp4-vjpp\nhttps://github.com/jm33-m0/emp3r0r/commit/0cd64e4a26e7839a9a54bca3d756a665fcb7fda0\nhttps://github.com/jm33-m0/emp3r0r/releases/tag/v3.21.1",
    "id": "CVE-2026-26068",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "jm33-m0 emp3r0r < 3.21.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "emp3r0r",
    "version": "< 3.21.1",
    "vendor": "jm33-m0",
    "ai_description": "Command injection and remote code execution vulnerability in emp3r0r due to untrusted agent metadata interpolation into tmux shell command strings",
    "ai_severity": "Critical",
    "ai_vendor": "jm33-m0",
    "ai_product": "emp3r0r",
    "ai_version": "< 3.21.1",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply