CVE-2026-2333
Published: 20 February 2026
Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and neutralization of special elements in crafted network requests.
Requires timely identification, reporting, and patching of the specific command injection flaw in Owl opds 2.2.0.4.
Enforces restrictions on information inputs from network requests to block malicious payloads containing special command elements.
Security SummaryAI
CVE-2026-2333, published on 2026-02-20, is a command injection vulnerability (CWE-77) affecting Owl opds version 2.2.0.4. The issue arises from improper neutralization of special elements used in a command, which allows attackers to inject malicious commands via a crafted network request. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.
Remote attackers can exploit this vulnerability over the network with low attack complexity, without requiring authentication, privileges, or user interaction. Successful exploitation enables arbitrary command execution on the affected system, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full system compromise.
Mitigation details are available in the vendor advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated command injection in a network-facing application directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary command execution via T1059 (Command and Scripting Interpreter).