CVE-2025-70831
Remote Code Execution in Smanga 3.2.7 via Unsanitized mediaId
Publication date: 2026-02-20
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lkw199711 | smanga | 3.2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-70831 is a critical Remote Code Execution (RCE) vulnerability found in Smanga version 3.2.7, specifically in the /php/path/rescan.php endpoint.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize the user-supplied "mediaId" parameter before using it in a system shell command. This parameter is directly concatenated into a command string that is executed on the server.'}, {'type': 'paragraph', 'content': 'As a result, an unauthenticated attacker can inject arbitrary operating system commands by including special characters such as backticks (`), semicolons (;), or pipes (|) in the mediaId parameter.'}, {'type': 'paragraph', 'content': 'This leads to a form of OS Command Injection (CWE-78) and Improper Neutralization of Special Elements used in a Command (CWE-77), allowing the attacker to execute commands on the server without authentication.'}, {'type': 'paragraph', 'content': 'A proof of concept shows that an attacker can execute commands like `id` and redirect the output to a file in the web root, confirming successful exploitation.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the server hosting Smanga 3.2.7.
The impact is critical because it can lead to complete server compromise, including full control over the server.
- Attackers can compromise confidentiality by accessing sensitive data stored on the server.
- Integrity can be compromised by modifying or deleting data or system files.
- Availability can be affected by disrupting server operations or deploying malicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /php/path/rescan.php endpoint for command injection via the mediaId POST parameter.'}, {'type': 'paragraph', 'content': 'You can send a crafted POST request with a payload that attempts to inject operating system commands. For example, using curl:'}, {'type': 'list_item', 'content': 'curl -X POST -d "mediaId=`id>hello.txt`" http://target/php/path/rescan.php'}, {'type': 'paragraph', 'content': 'After sending the request, check if the file hello.txt is created in the web root directory. Retrieving and inspecting this file will confirm if command execution was successful.'}, {'type': 'paragraph', 'content': 'Tools like Burp Suite can also be used to craft and send such requests to test for this vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves properly sanitizing the user input before it is used in any shell command.
Specifically, avoid directly concatenating the mediaId parameter into shell commands. Use secure functions such as escapeshellarg() to neutralize special characters.
Alternatively, avoid executing shell commands with user input altogether if possible.
Applying these changes will prevent attackers from injecting arbitrary commands and protect the server from full compromise.