{"vulnerability": "CVE-2026-50874", "sightings": [{"uuid": "ed9aaed0-d953-447f-8e8f-c1cfd68169dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50874", "type": "seen", "source": "https://gist.github.com/pyuysig/7df16c08213f809592bbc7053c079aba", "content": "# Vulnerability Report: CVE-2026-50874 - Shaark - Archive feature binary path settings can lead to command injection\n\n## Vulnerability Summary\nShaark 1.2.44 contains an OS command injection issue in archive feature checks. An authenticated administrator can set archive binary settings such as node_bin or youtube_dl_bin to a shell metacharacter payload and then trigger the media or PDF feature check endpoint, leading to command execution.\n\n## Affected Product\n- **Vendor**: MarceauKa\n- **Product**: Shaark\n- **Version**: 1.2.44\n- **Vulnerable Component**: archive settings for node_bin and youtube_dl_bin, GET /api/manage/features/pdf, GET /api/manage/features/media\n\n## Vulnerability Details\n- **Vulnerability Type**: OS Command Injection\n- **Weakness**: CWE-78\n- **Attack Conditions**: Remote authenticated administrator updates archive binary settings and triggers GET /api/manage/features/pdf or GET /api/manage/features/media.\n\n## Report Body\n\n### Summary\nShaark 1.2.44 contains an OS command injection issue in archive feature checks. An authenticated administrator can set archive binary settings such as node_bin or youtube_dl_bin to a shell metacharacter payload and then trigger the media or PDF feature check endpoint, leading to command execution.\n\n### Details\nThe application stores administrator-controlled binary path settings and later invokes those values during archive feature checks. Shell metacharacters in the configured path can be interpreted by the execution path.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50874.\n3. Confirm the security result: Setting node_bin or youtube_dl_bin to a command payload and triggering the feature check causes the payload to execute.\n\n### Impact\nCommand execution by an authenticated administrator through archive feature configuration and checks.\n\n## Remediation\nTreat configured executable paths as data, validate them against trusted paths, and execute without shell interpretation.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:40.000000Z"}]}