CVE-2026-50871

An authenticated attacker on a Windows deployment submits a crafted `download_manager` value containing command separators (e.g., `&`, `|`, or `;`) via the settings update endpoint. When the victim (or the attacker themselves) triggers media archiving or export, the stored value is formatted with URL and output fields and executed through a Windows shell subprocess with `shell=True` [ref_id=1]. The injected command runs with the privileges of the Reminiscence server process.

The vulnerability resides in `pages/views.py` (settings update flow) and `pages/dbaccess.py` (media archiving/export helpers). The settings endpoint accepts `req_set_settings=yes` and stores the user-supplied `download_manager` value without validation. Later, the archiving and export helpers format that stored value with `{iurl}` and `{output}` fields and pass the resulting string to a Windows subprocess with `shell=True`.

The advisory does not include a published patch. The recommended remediation is to validate that the `download_manager` setting is a safe executable path and argument template before it is stored, and to avoid using `shell=True` when invoking the subprocess on Windows [ref_id=1]. Without these changes, any authenticated user who can save the setting can achieve arbitrary command execution.

Log in to Reminiscence 0.3.0 on a Windows deployment as a user who can update personal settings. Submit the settings update path with `req_set_settings=yes` and set `download_manager` to a value containing a command separator followed by a harmless marker command. Add or archive a URL through a feature that invokes the configured download manager and formats `{iurl}` and `{output}` into the command string. Let the archiving or export action run under the server process. Observe the marker command execute, for example by creation of a marker file under a path writable by the Reminiscence process [ref_id=1].