CVE-2026-2184
Awaiting Analysis Awaiting Analysis - Queue
OS Command Injection in Great Developers Certificate Generation System

Publication date: 2026-02-08

Last updated on: 2026-02-24

Assigner: VulDB

Description
A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2184
EUVD
EUVD-2026-5766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
greatdevelopers certificate to 2017-10-16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2184 is a critical OS command injection vulnerability in the Great Developers Certificate Generation System, specifically in the file /restructured/csv.php. The vulnerability occurs because the 'photo' argument is improperly sanitized before being used in operating system commands, allowing attackers to inject arbitrary OS commands."}, {'type': 'paragraph', 'content': 'This flaw corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and is related to CWE-77 and CWE-74. It allows remote attackers to execute commands on the affected system without authentication.'}, {'type': 'paragraph', 'content': 'The product uses a rolling release model, so exact affected versions are unclear, and the code repository has been inactive for years, with no known mitigations.'}] [1]

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected system without any authentication.

As a result, attackers can compromise the confidentiality, integrity, and availability of the system.

Potential impacts include unauthorized access to sensitive data, modification or deletion of files, disruption of services, and complete system takeover.

Because the system does not validate uploaded archive contents, it is also vulnerable to Zip Slip attacks and file overwrite vulnerabilities, increasing the risk of further exploitation.

Due to the lack of active maintenance and no published mitigations, it is recommended to replace the affected software with an alternative.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying instances of the Great Developers Certificate Generation System that expose the vulnerable file `/restructured/csv.php` to the network. Potential attackers can locate vulnerable instances using Google dorking with queries like `inurl:restructured/csv.php`.

Since the vulnerability involves OS command injection via the `photo` argument, monitoring web requests for suspicious or unusual input in this parameter may help detect exploitation attempts.

No specific detection commands are provided, but network administrators can use web server logs or intrusion detection systems to look for HTTP requests targeting `/restructured/csv.php` with unusual or shell command-like payloads in the `photo` parameter.

Mitigation Strategies

Immediate mitigation steps include replacing the affected software with an alternative product, as the project’s code repository has been inactive for many years and no known mitigations or countermeasures have been published.

Since the vulnerability allows remote OS command injection without authentication, it is critical to restrict access to the vulnerable endpoint `/restructured/csv.php` by network-level controls such as firewalls or web application firewalls (WAFs).

Additionally, monitoring and blocking suspicious inputs to the `photo` argument can help reduce risk until the software is replaced.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart