CVE-2026-9302 - Vulnerability Details

Description

A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-23

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from an eval call in VpsTest.php where the vf argument is not properly escaped, allowing an attacker to inject and execute arbitrary PHP code. This code injection enables remote code execution, a serious security flaw tracked by CWE-94 and CWE-74.

Affected Systems

Affected systems are the 546669204 vps‑inventory‑monitoring project up to commit 98c00b370668c96ae75e91c15548d9ea113652d9. The product uses a rolling release model, so newer releases may or may not contain the fix, and detailed version information is not disclosed. The vulnerability lies in the VpsTest Console command located at app/index/command/VpsTest.php.

Risk and Exploitability

The CVSS score of 5.3 denotes a moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog; however, the exploit has been publicly disclosed and can be performed remotely. Until a vendor patch is released, the risk remains moderate to high if the service is exposed to untrusted input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

546669204

vps-inventory-monitoring

affected

Version	Status	Constraints
`98c00b370668c96ae75e91c15548d9ea113652d9`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s official patch or update to a version that removes the eval usage once released.
Restrict external access to the VpsTest console or disable the VpsTest command until the patch is applied.
Implement strict input validation or a whitelist for the vf parameter to prevent execution of unintended code.
Monitor logs for suspicious activity and block any identified malicious input.

Generated by OpenCVE AI on May 23, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/546669204/vps-inventory-monitoring/
https://github.com/546669204/vps-inventory-monitoring/issues/36
https://github.com/dntyfate/cve/issues/2
https://vuldb.com/submit/811843
https://vuldb.com/vuln/365249
https://vuldb.com/vuln/365249/cti

History

Sat, 23 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Title		546669204 vps-inventory-monitoring VpsTest Console VpsTest.php eval code injection
First Time appeared		546669204 546669204 vps-inventory-monitoring
Weaknesses		CWE-74 CWE-94
CPEs		cpe:2.3:a:546669204:vps-inventory-monitoring::::::::
Vendors & Products		546669204 546669204 vps-inventory-monitoring
References		https://github.com/546669204/vps-inventory-monitoring/ https://github.com/546669204/vps-inventory-monitoring/issues/36 https://github.com/dntyfate/cve/issues/2 https://vuldb.com/submit/811843 https://vuldb.com/vuln/365249 https://vuldb.com/vuln/365249/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

546669204 Vps-inventory-monitoring

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-23T13:15:08.864Z

Updated: 2026-05-23T13:15:08.864Z

Reserved: 2026-05-22T17:47:51.515Z

Link: CVE-2026-9302

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-23T15:15:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object