CVE-2026-2944
Published: 22 February 2026
Description
A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os…
more
command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the DevId argument in HTTP POST requests to /cgi-bin/monitor.php.
SI-2 mandates timely identification, reporting, and remediation of flaws such as this unpatched command injection vulnerability, potentially through patching, isolation, or decommissioning.
SC-7 provides boundary protection via web application firewalls or proxies to filter and block malicious POST requests targeting the vulnerable /cgi-bin/monitor.php endpoint.
Security SummaryAI
CVE-2026-2944 is an OS command injection vulnerability in the Tosei Online Store Management System (ネット店舗管理システム) version 1.01. The flaw affects the /cgi-bin/monitor.php file within the HTTP POST Request Handler component, where manipulation of the DevId argument enables arbitrary command execution. Mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers sending a specially crafted HTTP POST request with a malicious DevId value, triggering OS command injection on the server. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands to gather information, modify data, or disrupt services, depending on the attacker's privileges and system configuration.
Advisories from VulDB (ctiid.347314, id.347314, submit.754579) and a GitHub issue (CVE-Hunter-Leo/CVE/issues/9) detail the vulnerability, including a publicly released exploit. No patches or vendor responses are available, as the vendor was notified early but did not reply; practitioners should isolate or decommission affected systems and monitor for anomalous POST requests to /cgi-bin/monitor.php.
Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-2944 enables unauthenticated remote exploitation of a public-facing web application (/cgi-bin/monitor.php) via OS command injection in the DevId parameter, directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for arbitrary command execution.