CVE-2026-39862

High

Published: 08 April 2026

Published

08 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0030 53.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker…

to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the command injection in Tophat prior to 2.5.1 by upgrading to the patched version.

SI-10 Information Input Validation good match

prevent

Mandates validation of unsanitized URL query parameters such as 'arguments' to block their direct flow to /bin/bash -c execution.

CM-11 User-installed Software partial match

prevent

Restricts and scans user-installed developer tools like vulnerable Tophat versions to prevent their deployment on macOS workstations.

Security SummaryAI

CVE-2026-39862 is a remote code execution vulnerability (CWE-78: OS Command Injection) in Tophat, a mobile applications testing harness for macOS workstations. Versions prior to 2.5.1 are affected, where the 'arguments' query parameter from crafted tophat:// or http://localhost:29070 URLs passes unsanitized through URL parsing directly to /bin/bash -c execution, enabling arbitrary command execution.

Any developer with Tophat installed is vulnerable to remote exploitation. An attacker can craft malicious URLs to run commands with the user's permissions on the workstation. For previously trusted build hosts, no confirmation dialog appears, allowing silent execution. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

The vulnerability is addressed in Tophat 2.5.1. Security practitioners should upgrade to this version. Additional mitigation details are available in the GitHub security advisory (GHSA-8x8g-6rv5-mgg2) at https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 and the fixing pull request at https://github.com/Shopify/tophat/pull/139.

Details

CWE(s): CWE-78

Affected Products

shopify

tophat

≤ 2.5.1

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via exploitation of a client application (T1203) through OS command injection directly into /bin/bash (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Shopify/tophat/pull/139
Issue Tracking · security-advisories@github.com
https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2
Vendor Advisory · security-advisories@github.com