Description

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

INFO

Published Date :

2026-03-24T13:17:38.572Z

Last Modified :

2026-03-24T15:36:17.300Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33310 vulnerability.

Vendors Products
Intake
  • Intake
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33310.

URL Resource
https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b cve-icon cve-icon
https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact