{"id":"CVE-2024-33434","details":"An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the `filename` argument into the `buildStr` string without any sanitization or filtering.","aliases":["CVE-2024-30850","GHSA-p3j6-f45h-hw5f","GHSA-xfjj-f699-rc79","GO-2024-2822"],"modified":"2026-05-04T08:45:06.362030Z","published":"2024-05-07T14:15:10.760Z","withdrawn":"2026-05-04T08:45:06.362030Z","references":[{"type":"WEB","url":"https://gist.github.com/slimwang/d1ec6645ba9012a551ea436679244496"},{"type":"FIX","url":"https://github.com/tiagorlampert/CHAOS/pull/95"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-33434.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1b451cf62582295b7225caf5a7b506f0bad56f6b"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}