CVE-2026-28801 is a code injection vulnerability classified under CWE-94 affecting NatroTeam's NatroMacro, an open-source macro tool written in AutoHotkey for the Bee Swarm Simulator game. Prior to version 1.1.0, the macro automatically executes any AutoHotkey code embedded within pattern or path files used by the macro. Since users commonly share these files within the gaming community, an attacker can craft a malicious pattern or path file containing harmful AutoHotkey scripts. When a victim loads such a file, the embedded code executes silently alongside the intended macro functions, enabling the attacker to perform arbitrary actions on the victim's system. The execution context is limited to the privileges of the user running the macro, and exploitation requires the victim to open or import the malicious file, implying user interaction. The vulnerability does not affect system availability but compromises confidentiality and integrity by allowing unauthorized code execution. The issue was addressed and patched in version 1.1.0 of NatroMacro. No known exploits have been reported in the wild to date. The CVSS v3.1 score of 6.6 reflects a medium severity, considering the local attack vector, low attack complexity, required privileges, and user interaction. This vulnerability highlights the risks of executing untrusted code embedded in shared files within user communities.

The primary impact of CVE-2026-28801 is unauthorized code execution on affected systems, leading to potential compromise of user data confidentiality and integrity. Attackers can execute arbitrary AutoHotkey scripts, which may include keylogging, data exfiltration, or lateral movement within the user's environment. Although the attack requires user interaction and local access, the widespread sharing of pattern/path files in the Bee Swarm Simulator community increases the risk of inadvertent compromise. Organizations or individuals using vulnerable versions of NatroMacro may face targeted attacks aiming to steal credentials, manipulate game data, or use the compromised system as a foothold for further attacks. The vulnerability does not directly impact system availability but can undermine trust in shared files and community resources. Given the niche nature of the product, the broader organizational impact is limited but significant within affected user groups.

1. Upgrade NatroMacro to version 1.1.0 or later, where this vulnerability is patched. 2. Avoid downloading or importing pattern or path files from untrusted or unknown sources. 3. Implement strict file validation or sandboxing mechanisms before loading shared files to detect or prevent execution of embedded AutoHotkey code. 4. Educate users within the gaming community about the risks of executing untrusted macros and shared files. 5. Employ endpoint security solutions capable of detecting suspicious AutoHotkey script execution or anomalous behaviors associated with macro execution. 6. Consider restricting AutoHotkey script execution policies on organizational systems to limit unauthorized script runs. 7. Monitor user systems for unusual activity following the use of shared macro files, including unexpected network connections or file modifications.