Description
A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 6.9 Medium
EPSS: 2.1% Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A command injection flaw exists in the /cgi-bin/tosei_datasend.php of the Tosei Self‑service Washing Machine 4.02. By manipulating the adr_txt_1 argument an attacker can achieve arbitrary command execution on the machine, compromising its integrity and potentially exposing connected networks. The weakness corresponds to CWE‑74 and CWE‑77.

Affected Systems

The affected product is the Tosei Self‑service Washing Machine, version 4.02, sold by the vendor Tosei.

Risk and Exploitability

The vulnerability bears a CVSS score of 6.9 and an EPSS of 2 %, indicating moderate severity and a low but non‑negligible likelihood of exploitation. It appears that the attack vector is remote and the exploit has already been published. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a firmware update or patch from the manufacturer if available.
  • Block external access to /cgi-bin/tosei_datasend.php using a firewall, NAT rule, or network segmentation to prevent remote exploitation.
  • If a patch is not available, consider disabling or removing the affected service or replacing the unit with a device that does not expose the vulnerable script.

Generated by OpenCVE AI on April 17, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tosei
Tosei self-service Washing Machine
Vendors & Products Tosei
Tosei self-service Washing Machine

Mon, 16 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tosei Self-service Washing Machine tosei_datasend.php command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tosei Self-service Washing Machine
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:05:13.419Z

Reserved: 2026-02-15T09:12:14.856Z

Link: CVE-2026-2533

cve-icon Vulnrichment

Updated: 2026-02-17T16:33:20.324Z

cve-icon NVD

Status : Deferred

Published: 2026-02-16T04:15:52.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses