vulnerability context

CVE-2026-12537

EPSS 23%CWE-20OTX 4 pulses

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Published 2026-06-24 · last modified 2026-06-25

details

CISA KEV status: Not in catalog
EPSS: 23% percentile (score 0.0031)
CWE: CWE-20
OTX pulses: 4 total, 0 recent

View on NVD → · cve.org

source mentions 2

[Daily CyberSecurity] Gemini CLI Vulnerability Hits Maximum CVSS 10 Score A critical Gemini CLI vulnerability (CVE-2026-12537) e...Bluesky · 1h ago
[CVE Alerts ] CVE-2026-12537 - Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows CVE ID : CVE-2026-12537 Publ...Bluesky · 4d ago

source consensus

Bluesky2×

Want the 3-bullet summary of CVE-2026-12537, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →