VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 2, 2026

CVE-2026-10550

CVE-2026-10550

Description

eladmin versions up to 2.7 are vulnerable to second-order command injection via the uploadPath parameter, allowing low-privileged users to achieve RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

eladmin versions up to 2.7 are vulnerable to second-order command injection via the uploadPath parameter, allowing low-privileged users to achieve RCE.

Vulnerability

A second-order stored command injection vulnerability exists in the application deployment module of elunez eladmin up to version 2.7 [1]. The vulnerability resides in the App.java file, specifically within the DeployServiceImpl.deployApp() and ExecuteShellUtil.execute() methods. Insufficient input validation allows low-privileged users to bypass prefix validations on fields like uploadPath, deployPath, and backupPath by using shell metacharacters [1].

Exploitation

An attacker with low privileges (requiring app:add or app:edit permissions) can exploit this vulnerability. The attacker first sends a POST request to /api/app to create an application configuration, injecting shell metacharacters such as newlines (\n) or command substitution ($()) into path fields like uploadPath. This payload is stored in the database. Later, when an administrator or an automated pipeline triggers the deployment process via POST to /api/deploy/deploy, the backend concatenates the poisoned path fields into shell commands, which are then executed via interactive SSH shells [1].

Impact

Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) with high privileges. When a deployment is triggered, the concatenated shell commands, including the attacker's payload, are executed on the server. This can lead to unauthorized command execution and privilege escalation on the affected system [1].

Mitigation

The vulnerability is fixed in eladmin versions after 2.7. Users should update to a patched version. No specific patch release date is available in the provided references. Workarounds or specific mitigation steps beyond updating are not disclosed in the available references. The project was informed early but has not responded [1].

References
  1. [Secruity] Command Injection via SSH Script Injection in App Management in elunez_eladmin

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
39d480938d27

v2.7 版本发布

https://github.com/elunez/eladminZheng JieJul 5, 2023Fixed in 2.7via release-tag
commit
6 files changed · +11 11
  • eladmin-common/pom.xml+1 1 modified
    @@ -5,7 +5,7 @@
     <parent>
         <artifactId>eladmin</artifactId>
         <groupId>me.zhengjie</groupId>
-        <version>2.6</version>
+        <version>2.7</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <properties>
  • eladmin-generator/pom.xml+2 2 modified
    @@ -5,7 +5,7 @@
     <parent>
         <artifactId>eladmin</artifactId>
         <groupId>me.zhengjie</groupId>
-        <version>2.6</version>
+        <version>2.7</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -20,7 +20,7 @@
         <dependency>
             <groupId>me.zhengjie</groupId>
             <artifactId>eladmin-common</artifactId>
-            <version>2.6</version>
+            <version>2.7</version>
         </dependency>
 
         <!--模板引擎-->
  • eladmin-logging/pom.xml+2 2 modified
    @@ -5,7 +5,7 @@
     <parent>
         <artifactId>eladmin</artifactId>
         <groupId>me.zhengjie</groupId>
-        <version>2.6</version>
+        <version>2.7</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -16,7 +16,7 @@
         <dependency>
             <groupId>me.zhengjie</groupId>
             <artifactId>eladmin-common</artifactId>
-            <version>2.6</version>
+            <version>2.7</version>
         </dependency>
     </dependencies>
 </project>
\ No newline at end of file
  • eladmin-system/pom.xml+3 3 modified
    @@ -5,7 +5,7 @@
     <parent>
         <artifactId>eladmin</artifactId>
         <groupId>me.zhengjie</groupId>
-        <version>2.6</version>
+        <version>2.7</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -23,7 +23,7 @@
         <dependency>
             <groupId>me.zhengjie</groupId>
             <artifactId>eladmin-generator</artifactId>
-            <version>2.6</version>
+            <version>2.7</version>
             <exclusions>
                 <exclusion>
                     <groupId>me.zhengjie</groupId>
@@ -36,7 +36,7 @@
         <dependency>
             <groupId>me.zhengjie</groupId>
             <artifactId>eladmin-tools</artifactId>
-            <version>2.6</version>
+            <version>2.7</version>
         </dependency>
 
         <!-- Spring boot websocket -->
  • eladmin-tools/pom.xml+2 2 modified
    @@ -5,7 +5,7 @@
     <parent>
         <artifactId>eladmin</artifactId>
         <groupId>me.zhengjie</groupId>
-        <version>2.6</version>
+        <version>2.7</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -23,7 +23,7 @@
         <dependency>
             <groupId>me.zhengjie</groupId>
             <artifactId>eladmin-logging</artifactId>
-            <version>2.6</version>
+            <version>2.7</version>
         </dependency>
 
         <!--邮件依赖-->
  • pom.xml+1 1 modified
    @@ -7,7 +7,7 @@
     <groupId>me.zhengjie</groupId>
     <artifactId>eladmin</artifactId>
     <packaging>pom</packaging>
-    <version>2.6</version>
+    <version>2.7</version>
 
     <modules>
         <module>eladmin-common</module>

Vulnerability mechanics

Root cause

"The system fails to properly validate and sanitize user-supplied input for file paths and script commands, leading to command injection."

Attack vector

A low-privileged user with app:add or app:edit permissions can exploit this vulnerability. The attacker crafts a malicious payload by appending shell metacharacters, such as newlines or command substitution, to fields like `uploadPath`. This payload bypasses weak prefix validations and is stored in the database. Later, when an administrator or an automated process triggers the deployment, the system concatenates these poisoned paths into shell commands and executes them via an interactive SSH shell, resulting in remote code execution [ref_id=1].

Affected code

The vulnerability resides in the Application Deployment Module, specifically within the `App.java` file which lacks proper validation for fields like `uploadPath`. The `DeployServiceImpl.java` file contains unsafe command execution by directly concatenating user input into commands like `mkdir -p` and executing scripts. The `ExecuteShellUtil.java` file further exacerbates the issue by using a direct shell mechanism (`ChannelShell`) for command execution [ref_id=1].

What the fix does

The patch updates the project version from 2.6 to 2.7 across multiple pom.xml files, indicating a new release. While the commit message signifies a release, the provided diffs do not contain specific code changes that address the identified command injection vulnerability in `App.java` or related service and utility files. The advisory does not specify the exact remediation steps taken in this release.

Preconditions

  • authAttacker must have low privileges with app:add or app:edit permissions.
  • inputAttacker must be able to inject shell metacharacters into path fields like `uploadPath`.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.