RCE in Gradle Gradle-completion

CVE-2026-25063

gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (10.0th percentile) — read the EPSS interpretation.

Affected products

Gradle Gradle-completion — versions < 9.3.1

Weakness classification (CWE)

References

https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv (x_refsource_CONFIRM)
https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7 (x_refsource_MISC)