🚨 BREAKING

CVE-2026-30352: Critical RCE in leonvanzyl autocoder /devserver/start Endpoint

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-77
CVE-2026-30352: Critical RCE in leonvanzyl autocoder /devserver/start Endpoint

The National Vulnerability Database has issued an alert for CVE-2026-30352, a critical remote code execution (RCE) vulnerability impacting leonvanzyl autocoder commit 79d02a. This flaw, rated 9.8 CVSS, resides in the /devserver/start endpoint and permits unauthenticated attackers to execute arbitrary code by supplying a maliciously crafted command parameter. This is a direct command injection, a classic and highly effective attack vector.

This vulnerability exposes systems running the affected autocoder commit to complete compromise. An attacker needs no prior authentication or complex chain of exploits; direct network access to the vulnerable endpoint is sufficient. The National Vulnerability Database confirms the broad impact, categorizing it as network-exploitable with high confidentiality, integrity, and availability impacts. Organizations utilizing this specific commit of autocoder must recognize the immediate and severe threat.

From an attacker’s perspective, this is a low-effort, high-reward target. The ability to execute arbitrary commands remotely on an exposed server is the holy grail for initial access. Defenders need to assume compromise if this service is running unpatched and exposed, especially in development or staging environments that often have laxer controls but still contain sensitive data or access to production resources.

What This Means For You

  • If your organization uses leonvanzyl autocoder, specifically commit 79d02a, check immediately for the presence of the `/devserver/start` endpoint. Assume this is a critical exposure. Implement network segmentation to restrict access to this service, and patch or remove the affected commit without delay. Audit logs for any suspicious activity related to the autocoder service.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-30352: RCE via /devserver/start endpoint command injection

Sigma YAML — free preview 
title: CVE-2026-30352: RCE via /devserver/start endpoint command injection
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects exploitation attempts against CVE-2026-30352 by looking for requests to the '/devserver/start' endpoint with a 'command=' parameter containing shell metacharacters like '&&', indicating an attempt to inject and execute arbitrary commands.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-30352/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/devserver/start'
      cs-method|exact:
          - 'GET'
      cs-uri-query|contains:
          - 'command='
  selection_command_injection:
      cs-uri-query|contains:
          - '&&'
      condition: selection AND selection_command_injection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-30352 RCE leonvanzyl autocoder commit 79d02a
CVE-2026-30352 RCE Vulnerable endpoint: /devserver/start
CVE-2026-30352 RCE Attack vector: crafted command parameter

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The

CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7141 — Vllm Vulnerability

CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...

vulnerabilityCVEmedium-severitycwe-908
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers

CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 5 IOCs /⚙ 3 Sigma