Description
A weakness has been identified in jishi node-sonos-http-api up to 3776f0ee2261c924c7b7204de121a38100a08ca7. Affected is the function Promise of the file lib/tts-providers/mac-os.js of the component TTS Provider. This manipulation of the argument phrase causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

A remote OS command injection flaw exists in the TTS provider's promise function for mac‑os.js in the node‑sonos‑http‑api project. The vulnerability allows an attacker to supply crafted input as the phrase argument, causing arbitrary shell commands to be executed on the host. The injected commands can alter system state, exfiltrate data, or compromise the server, leading to full compromise of confidentiality, integrity and availability.

Affected Systems

The flaw affects all deployments of the jishi node‑sonos‑http‑api package prior to the unknown fix commit 3776f0ee2261c924c7b7204de121a38100a08ca7. Because the project follows a rolling release cycle, specific version numbers are absent, but any instance built from sources before the patch is vulnerable.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability is considered medium to high severity. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be able to reach the TTS provider over the network for remote exploitation, which is plausible if the service is exposed to the internet or accessible from an attacker’s internal network.

Generated by OpenCVE AI on April 18, 2026 at 12:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the node‑sonos‑http‑api package to a safe commit or a release that includes the OS command injection fix.
  • If an immediate update is not possible, restrict network exposure of the TTS provider by placing it behind a firewall or VPN and limiting inbound access to trusted hosts.
  • Enable logging and actively monitor for anomalous command execution patterns or abnormal use of the phrase parameter to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 12:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Jishi
Jishi node-sonos-http-api
Vendors & Products Jishi
Jishi node-sonos-http-api

Tue, 17 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in jishi node-sonos-http-api up to 3776f0ee2261c924c7b7204de121a38100a08ca7. Affected is the function Promise of the file lib/tts-providers/mac-os.js of the component TTS Provider. This manipulation of the argument phrase causes os command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title jishi node-sonos-http-api TTS Provider mac-os.js Promise os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jishi Node-sonos-http-api
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:16:24.177Z

Reserved: 2026-02-17T13:47:54.918Z

Link: CVE-2026-2629

cve-icon Vulnrichment

Updated: 2026-02-18T20:43:24.404Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T22:18:45.653

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses