CVE-2026-31236 — Code injection via llm CLI -functions argument

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its –functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the –functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim’s system, potentially granting the attacker full control.

Summary

llm passes the literal --functions string into exec, so any copied “example command” from the internet can embed reverse shells. Victim only needs to paste into their shell once.

Affected product and versions

• Product: simonw/llm.
• Affected range (coordination record): through v0.27.1 (commit 921fae9a0ad3d664a872e35e4639b16089b61c1d).

Technical details

• Surface: CLI -functions accepting multi-line Python.
• Sink: exec() of attacker-controlled source in-process.
• Impact: Full compromise of developer workstation.
• Mitigation: Never paste untrusted commands; fork tool to remove exec path.

Risk

High — classic copy-paste trojan channel.

Remediation / workaround

• Vendor patch TBD; meanwhile restrict CLI usage to trusted scripts only.

CVE Program next steps