Scan free
MEDIUMCVE-2026-28801CVSS 6.6

CVE-2026-28801: Code Execution in NatroMacro

Platform

windows

Component

natromacro

Fixed in

1.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-28801 affects NatroMacro, an open-source macro tool for Bee Swarm Simulator. This vulnerability allows an attacker to inject and execute malicious code through shared pattern or path files, potentially leading to unauthorized actions within the application. Versions of NatroMacro prior to 1.1.0 are vulnerable, and a patch is available in version 1.1.0.

Impact and Attack Scenarios

The primary impact of CVE-2026-28801 is the ability for an attacker to execute arbitrary code on a victim's system. Because NatroMacro users frequently share pattern and path files, a malicious actor can craft a file containing harmful AutoHotkey code and distribute it to unsuspecting users. Upon opening or using the compromised file within NatroMacro, the embedded code will execute silently in the background. This could lead to data theft, system manipulation, or even remote control of the affected machine. The blast radius extends to anyone using vulnerable versions of NatroMacro and sharing files with others.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-06. There are currently no known public exploits or active campaigns targeting CVE-2026-28801. It is not listed on the CISA KEV catalog. The ease of exploitation stems from the common practice of sharing files among NatroMacro users, making it a potentially attractive target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureLow
Reports1 threat report

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N6.6MEDIUMAttack VectorLocalHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Local — attacker needs a local shell or interactive session on the system.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentnatromacro
VendorNatroTeam
Affected rangeFixed in
< 1.1.0 – < 1.1.01.1.1

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The definitive mitigation for CVE-2026-28801 is to upgrade NatroMacro to version 1.1.0 or later. If upgrading is not immediately feasible, exercise extreme caution when opening or using pattern or path files from untrusted sources. Consider implementing a review process for shared files to scan for potentially malicious AutoHotkey code. While a direct WAF rule is not applicable, monitoring for unusual process activity associated with NatroMacro can provide an early warning. After upgrading, confirm the fix by attempting to execute a known malicious pattern file – it should no longer trigger code execution.

How to fix

Update NatroMacro to version 1.1.0 or higher. This version fixes the code injection vulnerability by preventing the execution of malicious AutoHotkey code contained in shared pattern or path files.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-28801 — Code Execution in NatroMacro?

CVE-2026-28801 is a medium-severity vulnerability in NatroMacro versions up to 1.1.0 that allows malicious code to be executed from shared pattern/path files, potentially leading to unauthorized actions.

Am I affected by CVE-2026-28801 in NatroMacro?

You are affected if you are using NatroMacro version 1.1.0 or earlier and share pattern or path files with other users.

How do I fix CVE-2026-28801 in NatroMacro?

Upgrade NatroMacro to version 1.1.0 or later to resolve this vulnerability. Exercise caution when opening files from untrusted sources until the upgrade is complete.

Is CVE-2026-28801 being actively exploited?

As of now, there are no known public exploits or active campaigns targeting CVE-2026-28801, but caution is advised.

Where can I find the official NatroMacro advisory for CVE-2026-28801?

Refer to the NatroMacro project's official repository or website for the latest advisory and release notes regarding CVE-2026-28801.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs