CVE-2026-7705
Command Injection in JD Cloud JDCOS
Publication date: 2026-05-03
Last updated on: 2026-05-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jd_cloud | jdcost | 4.5.1.r4518 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in JD Cloud JDCOS version 4.5.1.r4518, specifically in the function set_iptv_info within the /jdcap file of the Service Interface component. It allows an attacker to manipulate the argument 'vid' to perform command injection.
The attack can be launched remotely, meaning an attacker does not need physical access to the system to exploit this vulnerability.
The exploit for this vulnerability has already been published, increasing the risk of it being used maliciously.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to command injection, which means an attacker could execute arbitrary commands on the affected system.
This can result in unauthorized access, data manipulation, service disruption, or further compromise of the system.
Since the attack can be performed remotely, it increases the risk of widespread exploitation without physical access.