Impact
This vulnerability occurs in the /stream-to-vlc Express route of the Zenshin application. An attacker can supply a specially crafted url parameter that is directly used in an OS shell command without proper sanitization, leading to execution of arbitrary commands on the host running Zenshin and full compromise of the system. The weakness corresponds to OS Command Injection (CWE-78).
Affected Systems
The flaw affects all instance of Zenshin prior to version 2.7.0, including the source distributed under the GitHub repository hitarth-gg/zenshin. Based on the description, it is inferred that the /stream-to-vlc route is exposed on all network interfaces that the Express server listens on, so a remote attacker with network reach to the Zenshin instance could exploit the vulnerability.
Risk and Exploitability
With a CVSS score of 9.8, the vulnerability is severe, providing remote code execution. The KEV status is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS score of 2% indicates a low but nonzero exploitation probability. An attacker can craft a request to /stream-to-vlc?url=COMMAND; the application spawns a shell, creating a straightforward exploitation path. Therefore, any Zenshin instance exposed to untrusted users should be hardened immediately.
OpenCVE Enrichment