CVE-2026-50871
Deferred Deferred - Pending Action

OS Command Injection in Reminiscence v0.3.0

Vulnerability report for CVE-2026-50871, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kanishka-linux reminiscence 0.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50871 is an OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence version 0.3.0.

The vulnerability occurs because the application does not validate the 'download_manager' setting before using it in commands executed by the Windows shell.

An authenticated user can supply a specially crafted 'download_manager' value containing command separators and malicious commands. When the server processes media archiving or export actions, it executes this value as a shell command, allowing arbitrary command execution.

This affects Windows deployments where the stored downloader is invoked, running commands with the privileges of the Reminiscence server process.

Impact Analysis

This vulnerability allows an authenticated user to execute arbitrary commands on the server running Reminiscence on Windows.

An attacker could leverage this to run malicious code with the same privileges as the Reminiscence server process, potentially leading to unauthorized access, data manipulation, or disruption of services.

Since the attack requires an authenticated user and affects Windows deployments, the impact depends on the environment and user privileges.

Detection Guidance

This vulnerability can be detected by checking if the Reminiscence v0.3.0 application is running on a Windows system and if an authenticated user has set the download_manager setting to a value containing command separators or suspicious commands.

Since the vulnerability involves execution of the download_manager setting as a shell command, you can audit the configuration for unusual or unexpected command strings.

  • Review the download_manager setting in the application configuration for suspicious command injection patterns.
  • On the Windows server, monitor process creation logs or command execution logs for unexpected shell commands originating from the Reminiscence process.
  • Use PowerShell or command prompt to query the current download_manager setting if accessible, for example by inspecting configuration files or application settings.
Mitigation Strategies

Immediate mitigation steps include restricting authenticated users from modifying the download_manager setting to prevent injection of malicious commands.

Additionally, if possible, disable or restrict the media archiving and export pipeline functionality until a patch or fix is applied.

Ensure that the Reminiscence server is not running on Windows systems if this functionality is not required, as non-Windows systems are not affected.

Monitor and audit the application logs and system process executions for suspicious activity related to this vulnerability.

Compliance Impact

CVE-2026-50871 allows an authenticated user to execute arbitrary commands on the affected system, which could lead to unauthorized access, data manipulation, or data exfiltration.

Such unauthorized command execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

Specifically, if personal or protected health information is processed or stored by the affected system, this vulnerability could lead to breaches of confidentiality and integrity, resulting in non-compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart