CVE-2026-6130: Chatbox AI Desktop App Vulnerable to OS Command Injection via Args/Env
THREATINT CVE Database·medium signal
A command injection vulnerability disclosed April 12 in chatboxai/chatbox allows attackers to execute arbitrary OS commands by manipulating args/env parameters. Chatbox is a popular desktop AI client used to interface with multiple LLM providers. If you're running Chatbox locally, update immediately — desktop AI tools that shell out to system commands remain a persistent attack surface as the agentic tool ecosystem grows.