AIKIDO-2026-10176
rubyipmi is vulnerable to Command Injection
78
High Risk
This Affects:
rubyipmiTL;DR
Affected versions of this package construct system commands by concatenating cmd and user-controlled options into a single string, which may allow command injection when executed through a shell. Because arguments are not safely passed as separate parameters (e.g., via Open3.capture3 with explicit cmd and args), malicious input can manipulate command structure. An attacker could supply crafted option values containing shell metacharacters (e.g., ;, &&, backticks) to execute arbitrary commands on the host system.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
rubyipmi is vulnerable to Command Injection in versions 0.12.0 - 0.12.1.
How to fix this
Upgrade the rubyipmi library to the patch version.
Links
github.com/logicminds/rubyipmi/blob/main/CHANGELOG.md#0130
access.redhat.com/errata/RHSA-2026:5968access.redhat.com/errata/RHSA-2026:5970access.redhat.com/errata/RHSA-2026:5971access.redhat.com/security/cve/CVE-2026-0980bugzilla.redhat.com/show_bug.cgi?id=2429874
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant