{"uuid": "88d1253f-b390-45a0-ae42-9be39455bc7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50871", "type": "seen", "source": "https://gist.github.com/pyuysig/01f00b5d7575f5a776b1f132ef9ecb46", "content": "# Vulnerability Report: CVE-2026-50871 - Reminiscence - Authenticated Windows media archiving command injection\n\n## Vulnerability Summary\nkanishka-linux Reminiscence 0.3.0 contains an OS command injection issue in the Windows media archiving and export pipeline. An authenticated user can store a crafted download_manager value and then trigger media archiving or Chromium export processing, leading to command execution on Windows deployments.\n\n## Affected Product\n- **Vendor**: kanishka-linux\n- **Product**: Reminiscence\n- **Version**: 0.3.0 on Windows deployments\n- **Vulnerable Component**: pages/views.py settings update handler, UserSettings.download_manager, pages/dbaccess.py media archiving and Chromium export subprocess helpers\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Remote authenticated user stores a crafted download_manager value and triggers a media URL or export operation that reaches the Windows shell execution path.\n\n## Report Body\n\n### Summary\nkanishka-linux Reminiscence 0.3.0 contains an OS command injection issue in the Windows media archiving and export pipeline. An authenticated user can store a crafted download_manager value and then trigger media archiving or Chromium export processing, leading to command execution on Windows deployments.\n\n### Details\nThe application stores a user-controlled download_manager setting and later uses it in media archiving or export helper execution. On Windows, the execution path allows shell metacharacters in that stored value to influence command execution.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50871.\n3. Confirm the security result: A crafted download_manager value is persisted by an authenticated account and later interpreted when the application processes media archiving or export work, causing attacker-controlled command execution on Windows.\n\n### Impact\nAuthenticated command execution on affected Windows deployments.\n\n## Remediation\nDo not execute user-configurable command paths through a shell. Restrict download manager choices to trusted binaries and pass arguments as an argv array without shell interpretation.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:36.000000Z"}