CVE-2026-2544
OS Command Injection in yued-fe LuLu UI run.js (Remote
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yued-fe | lulu_ui | to 3.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2544 is a critical OS command injection vulnerability found in yued-fe LuLu UI versions up to 3.0.0. It exists in the function child_process.exec within the run.js file, which executes OS-level commands using dynamically constructed command strings.
Because the exec() function spawns a shell without properly separating arguments, an attacker who can influence the execution environment, Git repository state, or filesystem paths can inject arbitrary OS commands.
This vulnerability allows remote attackers to execute arbitrary OS commands without authentication, potentially compromising the affected system.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution, allowing attackers to run arbitrary operating system commands on the affected system.
Such an attack can compromise the confidentiality, integrity, and availability of the system, potentially leading to unauthorized data access, data modification, or service disruption.
It is especially dangerous in shared development environments, CI/CD pipelines, or systems where untrusted users or automated processes can modify the repository or filesystem.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures are currently available for this vulnerability.
It is suggested to replace the affected product (yued-fe LuLu UI up to version 3.0.0) with an alternative solution to avoid exposure to this OS command injection flaw.