CVE-2026-50874
Description
Reminiscence v0.3.0 OS command injection in /manage/features/media via unsanitized binary path settings allows arbitrary command execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reminiscence v0.3.0 OS command injection in /manage/features/media via unsanitized binary path settings allows arbitrary command execution.
Vulnerability
An OS command injection vulnerability exists in the /manage/features/media endpoint of kanishka-linux Reminiscence v0.3.0. The FeaturesController retrieves a configured binary path (such as youtube_dl_bin) and concatenates it with ' --version' before passing the result to exec() without any sanitization or validation. An attacker who can modify these configuration values can inject shell metacharacters into the path, leading to arbitrary command execution [1].
Exploitation
An attacker must have administrator or equivalent settings-capable access to modify the binary path configuration (e.g., node_bin or youtube_dl_bin). The attacker sets one of these values to a string that includes shell metacharacters and a command (e.g., ; malicious_command). Then, by requesting GET /manage/features/media, the application executes exec($value . ' --version'), which triggers the injected command under the web server user [1].
Impact
Successful exploitation results in arbitrary OS command execution with the privileges of the PHP or web server process. This can lead to full server compromise, data exfiltration, lateral movement, or further exploitation of internal resources [1].
Mitigation
As of the publication date (2026-06-15), Reminiscence v0.3.0 has not released a fix. The only mitigation is to restrict write access to configuration settings to trusted administrators and to audit binary path values before deployment. No official patch or workaround is provided in the available references [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 0.3.0+ 1 more
- (no CPE)range: = 0.3.0
- (no CPE)range: = 0.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the youtube_dl_bin configuration value allows shell metacharacter injection into an exec() call."
Attack vector
An attacker with administrator or settings-capable access can set the `youtube_dl_bin` configuration value to a string containing shell metacharacters (e.g., a semicolon followed by an arbitrary command). When the `/manage/features/media` endpoint is requested, the application concatenates `--version` onto the stored value and passes the result to `exec()`, causing the injected command to execute on the server [ref_id=1]. The trust boundary break is the jump from application configuration to host shell execution through `exec()` [ref_id=1].
Affected code
The vulnerability resides in the `/manage/features/media` endpoint of kanishka-linux Reminiscence v0.3.0. The `FeaturesController` loads the attacker-controlled `youtube_dl_bin` configuration value and passes it to `exec($exec . ' --version')` without sanitizing shell metacharacters [ref_id=1].
What the fix does
The advisory does not include a published patch. The recommended remediation is to constrain the `youtube_dl_bin` configuration value to safe executable paths and avoid passing user-controlled values directly to `exec()` [ref_id=1]. Input validation should reject shell metacharacters, and the application should use a safe API (e.g., `escapeshellcmd()` or `escapeshellarg()`) or a whitelist of allowed binary paths instead of concatenating the value into a shell command.
Preconditions
- authThe attacker must have administrator or equivalent settings-capable access to modify the youtube_dl_bin configuration value.
- configThe application must be configured to use the affected /manage/features/media endpoint.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.