VYPR
High severity8.1NVD Advisory· Published May 26, 2026· Updated May 27, 2026

CVE-2026-48695

CVE-2026-48695

Description

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • FastNetMon/fastnetmonreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*range: <=1.2.9
    • (no CPE)range: <=1.2.9

Patches

Vulnerability mechanics

References

2

News mentions

1