CVE-2026-2544
Unknown Unknown - Not Provided
OS Command Injection in yued-fe LuLu UI run.js (Remote

Publication date: 2026-02-16

Last updated on: 2026-02-16

Assigner: VulDB

Description
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-16
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2544
EUVD
EUVD-2026-6119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yued-fe lulu_ui to 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2544 is a critical OS command injection vulnerability found in yued-fe LuLu UI versions up to 3.0.0. It exists in the function child_process.exec within the run.js file, which executes OS-level commands using dynamically constructed command strings.

Because the exec() function spawns a shell without properly separating arguments, an attacker who can influence the execution environment, Git repository state, or filesystem paths can inject arbitrary OS commands.

This vulnerability allows remote attackers to execute arbitrary OS commands without authentication, potentially compromising the affected system.

Impact Analysis

This vulnerability can lead to remote code execution, allowing attackers to run arbitrary operating system commands on the affected system.

Such an attack can compromise the confidentiality, integrity, and availability of the system, potentially leading to unauthorized data access, data modification, or service disruption.

It is especially dangerous in shared development environments, CI/CD pipelines, or systems where untrusted users or automated processes can modify the repository or filesystem.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.

Mitigation Strategies

No known mitigations or countermeasures are currently available for this vulnerability.

It is suggested to replace the affected product (yued-fe LuLu UI up to version 3.0.0) with an alternative solution to avoid exposure to this OS command injection flaw.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2544. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart