Google has addressed a maximum severity security flaw in
Gemini CLI -- the "@google/gemini-cli" npm package and the
"google-github-actions/run-gemini-cli" GitHub Actions workflow --
that could have allowed attackers to execute arbitrary commands on
host systems. "The vulnerability allowed an unprivileged external
attacker to force their own malicious content to load as Gemini
configuration,"
Read more https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html
