Description
An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection in the app.py component of openlabs docker-wkhtmltopdf-aas. A crafted POST request can cause arbitrary commands to run on the host, which allows an attacker to compromise confidentiality, integrity, and availability of the underlying system. This flaw is a classic command injection flaw (CWE‑78).

Affected Systems

The affected product is the openlabs docker‑wkhtmltopdf‑aas Docker image; any instance running a version that contains app.py before commit 9f50579 is vulnerable. No other vendor or product names are specified beyond this repository, and the vulnerability spans all such releases.

Risk and Exploitability

The CVSS score is not listed; EPSS is not available and KEV does not list this vulnerability. An attacker only needs the ability to send a crafted POST request to the exposed service, which is typically reachable on a network interface. Because the flaw permits arbitrary command execution on the host, the risk is high. No public exploitation evidence is reported, but the potential impact warrants urgent remediation.

Generated by OpenCVE AI on June 3, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest commit from the openlabs repository that fixes the injection issue (e.g., pull the updated Docker image or rebuild from the master branch).
  • Restrict the web service to trusted networks or require authentication, thereby eliminating unauthenticated external access to the POST endpoint.
  • Implement input validation to reject or sanitize POST payloads containing shell delimiters or command execution patterns, ensuring only safe content is processed.
  • Apply container isolation mechanisms such as AppArmor or SELinux to limit the privileges of the wkhtmltopdf process, preventing system‑level command execution.

Generated by OpenCVE AI on June 3, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Docker‑based wkhtmltopdf‑as Service
Weaknesses CWE-78

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T14:56:28.089Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36576

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T16:16:28.877

Modified: 2026-06-03T16:16:28.877

Link: CVE-2026-36576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T17:30:36Z

Weaknesses