CVE-2026-26093
Published: 20 February 2026
Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of untrusted network inputs used in commands.
Addresses the specific flaw in Owl OPDS 2.2.0.4 by requiring timely remediation such as patching to eliminate the vulnerability.
Enforces boundary protections like web application firewalls to block or detect crafted network requests attempting command injection.
Security SummaryAI
CVE-2026-26093 is a command injection vulnerability (CWE-77) affecting Owl OPDS version 2.2.0.4, caused by improper neutralization of special elements used in a command. Published on 2026-02-20, the flaw enables command injection through a crafted network request.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity, no privileges, authentication, or user interaction required, and unchanged impact scope. Any unauthenticated attacker can send a malicious request to inject and execute arbitrary commands, resulting in high confidentiality, integrity, and availability impacts, such as full system compromise.
Mitigation details are available in the Nozomi Networks vulnerability advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26093.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-26093 is a command injection vulnerability in a network-facing application (Owl OPDS), enabling unauthenticated remote code execution, directly mapping to T1190: Exploit Public-Facing Application.