CVE-2026-2956

MediumPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0038 59.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has…

been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by validating and sanitizing the Name argument in the revertBackup function before command execution.

SI-2 Flaw Remediation good match

prevent

Establishes processes to identify, assess, and remediate flaws like this unpatched command injection in dst-admin up to 1.5.0.

AC-6 Least Privilege partial match

prevent

Reduces impact of exploited command injection by enforcing least privilege on the low-privilege account required for remote access.

Security SummaryAI

CVE-2026-2956 is a command injection vulnerability (CWE-74, CWE-77) affecting qinming99 dst-admin versions up to 1.5.0. The issue lies in the revertBackup function of the /home/restore file, where manipulation of the Name argument allows attackers to inject and execute arbitrary commands.

The vulnerability enables remote exploitation (AV:N) with low attack complexity (AC:L) and requires low privileges (PR:L) but no user interaction (UI:N), with unchanged scope (S:U). Successful exploitation results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3.

Advisories from VULDB note that the vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available. An exploit has been publicly released, heightening the potential for real-world attacks. Relevant references include https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylink, https://vuldb.com/?ctiid.347323, https://vuldb.com/?id.347323, and https://vuldb.com/?submit.754508.

Details

CWE(s): CWE-74 CWE-77

Affected Products

dst-admin project

dst-admin

≤ 1.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE-2026-2956 is a command injection vulnerability in a public-facing web application (/home/restore endpoint), directly enabling T1190 (Exploit Public-Facing Application). It facilitates arbitrary remote command execution, mapping to T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylink
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347323
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347323
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.754508
Third Party Advisory, VDB Entry · cna@vuldb.com