Description
A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote OS Command Injection
Action: Patch
AI Analysis

Impact

A flaw was discovered in version 1.01 of Tosei Online Store Management System. Manipulating the DevId parameter in the HTTP POST request handler /cgi-bin/monitor.php enables an attacker to inject arbitrary operating‑system commands. Successful exploitation grants the attacker remote code execution on the underlying web server, allowing full compromise of the system, including data exfiltration, modification, or disruption of service. The vulnerability is a classic command injection flaw (CWE‑77 / CWE‑78) that takes place when untrusted user data is passed directly to a shell execution function without proper sanitization. An attacker can trigger the vulnerability from any remote host that can send HTTP POST requests to the endpoint, potentially without authentication.

Affected Systems

The affected product is Tosei:Online Store Management System ネット店舗管理システム, with the vulnerable release identified as version 1.01. No other versions or sub‑components were listed as affected in the vendor‑provided data.

Risk and Exploitability

The CVSS score of 6.9 indicates a high‑medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild at the time of this analysis. Nonetheless, the exploit has been publicly released and the exploit code is available, so the risk for active attackers is significant. The vulnerability does not appear in the CISA KEV catalog. The likely attack vector is a remote HTTP POST request to the /cgi-bin/monitor.php endpoint, which a public attacker could use from any location with network reachability to the web server.

Generated by OpenCVE AI on April 17, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict network access to /cgi-bin/monitor.php so that only trusted IP addresses or internal networks may connect, using a firewall or web‑server access control lists.
  • Modify the monitor.php script to sanitize or encode the DevId parameter before it is passed to system() calls, for example by applying PHP escapeshellarg or removing shell metacharacters that could be used to escape the intended command.
  • Continuously monitor web‑server logs for abnormal POST requests to monitor.php and block or rate‑limit offending IP addresses.

Generated by OpenCVE AI on April 17, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Tosei-corporation
Tosei-corporation online Store Management System
CPEs cpe:2.3:a:tosei-corporation:online_store_management_system:1.01:*:*:*:*:*:*:*
Vendors & Products Tosei-corporation
Tosei-corporation online Store Management System

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tosei
Tosei online Store Management System
Vendors & Products Tosei
Tosei online Store Management System

Sun, 22 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tosei Online Store Management System ネット店舗管理システム HTTP POST Request monitor.php system os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tosei Online Store Management System
Tosei-corporation Online Store Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T16:53:14.493Z

Reserved: 2026-02-21T17:30:42.308Z

Link: CVE-2026-2944

cve-icon Vulnrichment

Updated: 2026-02-25T16:53:06.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-22T11:16:13.230

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses