CVE-2019-25441
CRITICAL WAF: High
CVSS 9.8
Published: 2026-02-20
CWE-78
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| kostasmitroglou | thesystem | 1.0.0 |
References
- github.com (Product)
- www.exploit-db.com (Exploit, VDB Entry)
- www.vulncheck.com (Broken Link)