{"id":82198,"date":"2026-07-18T20:46:39","date_gmt":"2026-07-18T17:16:39","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-16129-princezuda-safestclaw-built-in-web-shell-py-shellaction-_validate_command-incomplete-blacklist\/"},"modified":"2026-07-18T20:46:39","modified_gmt":"2026-07-18T17:16:39","slug":"cve-2026-16129-princezuda-safestclaw-built-in-web-shell-py-shellaction-_validate_command-incomplete-blacklist","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-16129-princezuda-safestclaw-built-in-web-shell-py-shellaction-_validate_command-incomplete-blacklist\/","title":{"rendered":"CVE-2026-16129 &#8211; princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blacklist"},"content":{"rendered":"<p>CVE ID :CVE-2026-16129<\/p>\n<p>  Published : July 18, 2026, 5:16 p.m. | 23\u00a0minutes ago<\/p>\n<p>  Description :A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src\/safestclaw\/actions\/shell.py of the component Built-in Web Interface. Such manipulation leads to incomplete blacklist. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The presence of this vulnerability remains uncertain at this time. The project maintainer explains: &#8220;On paper you&#8217;re correct, this is a vulnerability. In practice, nothing your AI generated shows how it makes users vulnerable. It&#8217;s open source. Someone can mod the shell allow list or remove that system. Present an actual poc that shows a threat to users.&#8221;<\/p>\n<p>  Severity: 5.3 | MEDIUM<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-16129 Published : July 18, 2026, 5:16 p.m. | 23\u00a0minutes ago Description :A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src\/safestclaw\/actions\/shell.py of the component Built-in Web Interface. Such manipulation leads to incomplete blacklist. An attack has to be approached locally. The &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-82198","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=82198"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82198\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=82198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=82198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=82198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}