AIKIDO-2026-10114
@qwen-code/qwen-code is vulnerable to Command Injection
44
Medium Risk
This Affects:
@qwen-code/qwen-codeTL;DR
Affected versions of this package treated awk and sed commands as read-only even though they support side-effects like system() execution, file writes, and shell pipelines. This could allow crafted awk or sed input to execute arbitrary commands or perform file operations without user confirmation. The patched version adds comprehensive pattern-based detection for dangerous constructs in awk and sed, rejecting commands with side-effects and preventing unintended command execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range. Requires user interaction / untrusted input in CLI context.
Background info
@qwen-code/qwen-code is vulnerable to Command Injection in versions 0.0.1 - 0.7.2.
How to fix this
Upgrade the @qwen-code/qwen-code library to the patch version.
Background Info
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant