CVE-2026-50874
Received Received - Intake
OS Command Injection in Reminiscence v0.3.0

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-50874
EUVD
EUVD-2026-36772
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shaark shaark 1.2.44
kanishka-linux reminiscence 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-50874 is an OS command injection vulnerability found in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0. It allows attackers to execute arbitrary commands on the server by supplying crafted input.

More specifically, the vulnerability arises because administrator-controlled binary path settings (such as node_bin or youtube_dl_bin) are stored and later concatenated into shell commands without proper validation. An attacker with administrative privileges can inject shell metacharacters into these settings, which are then executed via the exec() function when certain API endpoints like /api/manage/features/media are accessed.

Impact Analysis

This vulnerability allows an authenticated administrator to execute arbitrary OS commands on the server with the privileges of the PHP or web server process.

The impact includes potential full control over the affected server, which could lead to data theft, service disruption, or further compromise of the system.

However, the risk is limited to scenarios where untrusted users cannot modify these administrator-controlled settings.

Detection Guidance

This vulnerability can be detected by checking if the application allows manipulation of administrator-controlled binary path settings such as `node_bin` or `youtube_dl_bin` that are later used in shell commands without proper validation.

A practical detection method involves attempting to set these binary path settings to include shell metacharacters followed by harmless commands, then accessing the affected API endpoints like `/api/manage/features/media` or `/api/manage/features/pdf` to see if the commands are executed.

  • Check or audit the settings for `node_bin` or `youtube_dl_bin` for suspicious or unexpected values.
  • Use curl or similar tools to access the vulnerable endpoints and observe if injected commands execute, for example:
  • curl -X GET http://yourserver/api/manage/features/media
  • Attempt to inject a command by setting the binary path to something like `/bin/sh; echo vulnerable` and then accessing the endpoint to detect if the output includes the injected command's result.
Mitigation Strategies

Immediate mitigation steps include restricting access to the affected API endpoints to trusted administrators only, ensuring that only authorized users can modify the binary path settings.

Additionally, validate and sanitize any input used in constructing shell commands to prevent injection of shell metacharacters.

If possible, avoid using shell command execution functions like `exec()` with user-controllable inputs or replace them with safer alternatives.

Monitor and audit changes to the `node_bin` and `youtube_dl_bin` settings to detect unauthorized modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart