Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Published: 2026-02-20
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch ASAP
AI Analysis

Impact

A flaw in Owl CyberDefense opds 2.2.0.4 allows an attacker to inject and execute arbitrary commands through a crafted network request. This command injection results from improper neutralization of special elements used in command construction, giving attackers total control over the host, compromising confidentiality, integrity, and availability. The weakness is a classic Command Injection classified as CWE‑77.

Affected Systems

Affected products include Owl CyberDefense opds as indicated by the CPE entries for opds‑1000, opds‑100, and the specific 2.2.0.4 release of opds‑talon. Administrators should verify whether their deployment matches any of these identifiers to determine applicability.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 9.2, indicating critical severity. The EPSS score is less than 1%, suggesting a low current exploitation probability, yet the flaw is not yet listed in the CISA KEV catalog, meaning it could still be actively leveraged by skilled threat actors. The attack vector is remote over the network, requiring a crafted request directed at the opds service, which, if successful, grants attacker system‑level execution privileges.

Generated by OpenCVE AI on April 17, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Owl opds to the latest patched version once released by the vendor.
  • Restrict network access to the opds service by allowing traffic only from trusted IP addresses or within a secured internal network.
  • Monitor system logs for unexpected command executions and deploy intrusion detection to flag suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
CPEs cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*
cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*
cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*
Vendors & Products Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Owl
Owl opds
Vendors & Products Owl
Owl opds

Fri, 20 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Title Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Owl Opds
Owlcyberdefense Opds-100 Opds-1000 Opds-talon
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-02-20T23:04:22.532Z

Reserved: 2026-02-11T09:59:52.482Z

Link: CVE-2026-2333

cve-icon Vulnrichment

Updated: 2026-02-20T17:59:02.884Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:57.570

Modified: 2026-02-26T23:10:43.847

Link: CVE-2026-2333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses