Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Published: 2026-02-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements used in a command, allowing a crafted network request to inject arbitrary commands into the system. This flaw enables an attacker to execute arbitrary shell commands on the host running Owl opds, compromising confidentiality, integrity, and availability of the affected device and any connected systems. The weakness matches CWE‑77.

Affected Systems

The flaw affects Owl Cyberdefense’s Owl opds product, specifically version 2.2.0.4. No other versions are listed as vulnerable, but the confirmed exploit targets the 2.2.0.4 build.

Risk and Exploitability

The CVSS v3.1 score of 8.7 indicates a high severity level. The EPSS estimate is below 1 %, suggesting that exploit attempts are currently rare, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector is a remote network request that reaches the vulnerable endpoint, requiring only network connectivity to the affected system.

Generated by OpenCVE AI on April 17, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a later Owl opds release that fixes the command injection flaw.
  • Restrict network access to the Owl opds interface to trusted IP addresses to limit exposure while a patch is applied.
  • Deploy application or web‑firewall rules to block or sanitize inputs that are used in command‑line executions, providing a temporary mitigating measure.

Generated by OpenCVE AI on April 17, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
CPEs cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*
cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*
cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*
Vendors & Products Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Owl
Owl opds
Vendors & Products Owl
Owl opds

Fri, 20 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Title Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Owl Opds
Owlcyberdefense Opds-100 Opds-1000 Opds-talon
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-02-20T23:04:14.340Z

Reserved: 2026-02-11T09:59:47.766Z

Link: CVE-2026-26093

cve-icon Vulnrichment

Updated: 2026-02-20T17:58:09.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:53.847

Modified: 2026-02-27T17:08:38.730

Link: CVE-2026-26093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses