CVE-2025-70831

Critical

Published: 20 February 2026

Published

20 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter before using it in a system shell command. This allows an unauthenticated attacker…

to inject arbitrary operating system commands, leading to complete server compromise.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation and sanitization of user-supplied inputs such as the mediaId parameter before use in system commands, directly preventing OS command injection.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this command injection vulnerability through patching Smanga 3.2.7.

SC-7 Boundary Protection partial match

preventdetect

SC-7 enforces boundary protection that can inspect and block malicious mediaId inputs attempting command injection via web application firewalls.

Security SummaryAI

CVE-2025-70831 is a Remote Code Execution (RCE) vulnerability in Smanga 3.2.7, affecting the /php/path/rescan.php interface. The issue stems from the application's failure to properly sanitize user-supplied input in the mediaId parameter before incorporating it into a system shell command, enabling OS command injection as classified under CWE-78. Published on 2026-02-20, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H). By supplying malicious input to the mediaId parameter, they can inject arbitrary operating system commands, achieving complete server compromise including high confidentiality, integrity, and availability impacts.

Mitigation details and additional information are available in the referenced advisory at https://github.com/LX-66-LX/cve/issues/5.

Details

CWE(s): CWE-78

Affected Products

lkw199711

smanga

3.2.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated RCE via OS command injection (CWE-78) in a public-facing web application endpoint, directly enabling T1190 (Exploit Public-Facing Application) and facilitating arbitrary command execution via T1059.004 (Unix Shell) in a PHP-based system shell context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LX-66-LX/cve/issues/5
Broken Link · cve@mitre.org