Description
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 6.9 Medium
EPSS: 2.2% Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the child_process.exec function within the run.js file of LuLu UI. By supplying crafted input, it allows a remote attacker to inject and execute arbitrary shell commands on the host. This can result in unauthorized data access, modification of system files, and disruption of service, thereby compromising confidentiality, integrity, and availability.

Affected Systems

All instances of yued-fe LuLu UI up to and including version 3.0.0 are affected. No later releases are documented to contain a fix, and the vendor has not issued any public patch announcement.

Risk and Exploitability

The CVSS base score of 6.9 signifies medium severity, and an EPSS score of 2% indicates that exploitation is possible but not widespread. The flaw is exploitable remotely, most likely via the web interface that invokes the vulnerable child_process.exec call. Although the product is not listed in the CISA KEV catalog, the combination of a remote attack vector and the potential for arbitrary command execution makes this vulnerability a high priority for remediation.

Generated by OpenCVE AI on April 18, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest LuLu UI release that removes the vulnerable child_process.exec usage, if a vendor patch has been released.
  • Restrict the LuLu UI web interface to authenticated users and limit exposure of the vulnerable functionality.
  • Validate and sanitize all external input before it is passed to system commands, following the principles for CWE-77 and CWE-78.
  • Continuously monitor system and application logs for unexpected command executions and investigate promptly.

Generated by OpenCVE AI on April 18, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Yued-fe
Yued-fe lulu Ui
Vendors & Products Yued-fe
Yued-fe lulu Ui

Mon, 16 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title yued-fe LuLu UI run.js child_process.exec os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Yued-fe Lulu Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:07:02.819Z

Reserved: 2026-02-15T15:54:20.415Z

Link: CVE-2026-2544

cve-icon Vulnrichment

Updated: 2026-02-17T21:06:47.359Z

cve-icon NVD

Status : Deferred

Published: 2026-02-16T08:16:05.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses