Vulnerability intelligence
CVE-2026-12537
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
CVSS Score
10
Critical
EPSS — Exploit Probability
0.3%
Riskier than 23% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
1 article across 1 outlet · first covered Jun 29, 2026 · latest Jun 29, 2026
Coverage timeline
-
Gemini CLI flaw allows remote code execution (CVE-2026-12537)securityonline.info · Jun 29, 2026