CVE-2026-50871
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50871
EUVD
EUVD-2026-36769
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kanishka-linux reminiscence 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50871 is an OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence version 0.3.0.

The vulnerability occurs because the application does not validate the 'download_manager' setting before using it in commands executed by the Windows shell.

An authenticated user can supply a specially crafted 'download_manager' value containing command separators and malicious commands. When the server processes media archiving or export actions, it executes this value as a shell command, allowing arbitrary command execution.

This affects Windows deployments where the stored downloader is invoked, running commands with the privileges of the Reminiscence server process.

Impact Analysis

This vulnerability allows an authenticated user to execute arbitrary commands on the server running Reminiscence on Windows.

An attacker could leverage this to run malicious code with the same privileges as the Reminiscence server process, potentially leading to unauthorized access, data manipulation, or disruption of services.

Since the attack requires an authenticated user and affects Windows deployments, the impact depends on the environment and user privileges.

Detection Guidance

This vulnerability can be detected by checking if the Reminiscence v0.3.0 application is running on a Windows system and if an authenticated user has set the download_manager setting to a value containing command separators or suspicious commands.

Since the vulnerability involves execution of the download_manager setting as a shell command, you can audit the configuration for unusual or unexpected command strings.

  • Review the download_manager setting in the application configuration for suspicious command injection patterns.
  • On the Windows server, monitor process creation logs or command execution logs for unexpected shell commands originating from the Reminiscence process.
  • Use PowerShell or command prompt to query the current download_manager setting if accessible, for example by inspecting configuration files or application settings.
Mitigation Strategies

Immediate mitigation steps include restricting authenticated users from modifying the download_manager setting to prevent injection of malicious commands.

Additionally, if possible, disable or restrict the media archiving and export pipeline functionality until a patch or fix is applied.

Ensure that the Reminiscence server is not running on Windows systems if this functionality is not required, as non-Windows systems are not affected.

Monitor and audit the application logs and system process executions for suspicious activity related to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart