Description
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch
AI Analysis

Impact

The vulnerability resides in the checkBin function of the fileThumb endpoint in kalcaddle kodbox 1.64, enabling an attacker to inject operating‑system commands. The weakness is classified as OS Command Injection (CWE‑77, CWE‑78). Successful exploitation allows the attacker to execute arbitrary commands on the target server, potentially compromising confidentiality, integrity, and availability of the system.

Affected Systems

Vendor kalcaddle’s kodbox platform, specifically version 1.64, contains the fileThumb plugin with the vulnerable checkBin endpoint.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, while the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The design of the flaw permits remote exploitation without authentication, and a publicly available exploit has already been released. This combination of remote, unauthenticated access, public exploit, and the potential for arbitrary code execution elevates the practical risk to a significant level for any unpatched system.

Generated by OpenCVE AI on March 23, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or upgrade to a corrected version of kalcaddle kodbox that eliminates the vulnerable checkBin function.
  • If a patch is not immediately available, disable or uninstall the fileThumb plugin or block access to the affected endpoint.
  • Restrict network traffic to the application by firewall or access‑control rules so that only trusted hosts can reach the vulnerable endpoint.
  • Continuously monitor web server logs for anomalous request patterns that might indicate attempted command injection attacks.

Generated by OpenCVE AI on March 23, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kalcaddle
Kalcaddle kodbox
Vendors & Products Kalcaddle
Kalcaddle kodbox

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T15:56:36.807Z

Reserved: 2026-03-22T11:40:29.907Z

Link: CVE-2026-4591

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-03-23T16:16:52.750

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:57Z

Weaknesses