Sentinel update: command injection vulnerabilities remediated in UAC

This Sentinel update covers newly public work as of April 5, 2026. We disclosed four command injection vulnerabilities in UAC (Unix-like Artifacts Collector), three of which have been remediated upstream.

UAC

UAC is a widely used incident response tool that collects forensic artifacts from live Unix-like systems. It typically runs with root privileges on potentially compromised hosts, making command injection vulnerabilities especially dangerous: an attacker who has already compromised the machine can plant payloads that fire when a responder runs UAC.

Eval Command Injection in _run_command (Critical)
Issue: UAC's core _run_command function passed unsanitized input through eval, allowing shell metacharacter injection.
Impact: Arbitrary command execution as the user running UAC (typically root) when processing attacker-controlled data on a compromised host.
Public fix: PR #443 →

Command Injection via command_collector (High)
Issue: the command collector code path passed attacker-influenced values into eval without sanitization.
Impact: Command execution through crafted artifact data during collection.
Public fix: PR #443 →

User Home Placeholder Injection from passwd (High)
Issue: the %user_home% runtime placeholder was substituted from /etc/passwd and flowed into eval without escaping. An attacker can set a malicious home directory containing shell metacharacters.
Impact: Arbitrary command execution when UAC expands the placeholder on a compromised host.
Public fix: PR #443 →

All three findings were remediated in UAC v3.3.0-rc1 released March 28, 2026. The maintainer merged our escaping-based fix (PR #443) which sanitizes %line%, %user%, and %user_home% placeholders before they reach eval.

Current Sentinel index

The Sentinel page remains the running public index of disclosed vulnerabilities and remediation status across our reviews.