Home > Vulnerability Database > CVE-2025-65946

Mend.io Vulnerability Database

CVE-2025-65946

Good to know:

Date: November 21, 2025

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.

Severity Score

8.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-65946

Url: https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p

Url: https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3

Url: https://github.com/RooCodeInc/Roo-Code/pull/7667

Url: https://www.mend.io/vulnerability-database/CVE-2025-65946

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version https://github.com/RooCodeInc/Roo-Code.git - v3.26.7

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-65946

Good to know:

Date: November 21, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?