Cyber Resilience

CVE-2026-1066

Medium

Published: 17 January 2026

Published
17 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0504 91.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1066 is a medium-severity Injection (CWE-74) vulnerability in Kodcloud Kodbox. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability has been identified in kalcaddle kodbox versions up to 1.61.10 within the Compression Handler component. The issue resides in the processing of the /?explorer/index/zip endpoint, where improper handling of input enables command injection, tracked under CWE-74 and CWE-77. The flaw is remotely exploitable with a CVSS 4.0 score of 5.3 reflecting limited impacts on confidentiality, integrity, and availability when low-privileged access is present.

An attacker with network access and low privileges can supply crafted input to the affected endpoint, resulting in arbitrary command execution on the server. The vendor was notified prior to disclosure but provided no response, and a public exploit is now available that demonstrates the injection.

The associated EPSS score started low after the January 2026 publication, rose materially to a peak of 0.0174 on 2026-02-18, and has since receded to 0.0006, indicating a temporary increase in exploitation interest following public release of the proof-of-concept. No vendor patches or official mitigation guidance appear in the referenced disclosures.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is…

more

now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection in public-facing web app (kodbox explorer/zip handler) directly enables remote exploitation (T1190) and arbitrary command execution via shell interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2026-2956Shared CWE-74, CWE-77
CVE-2025-15132Shared CWE-74, CWE-77
CVE-2026-8344Shared CWE-74, CWE-77
CVE-2026-7058Shared CWE-74, CWE-77
CVE-2025-8752Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77

Affected Assets

kodcloud
kodbox
≤ 1.61.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input to the /?explorer/index/zip Compression Handler endpoint, blocking the command-injection payload before execution.

prevent

Enforces least-privilege execution for the kodbox web process, limiting the scope of arbitrary commands an attacker can successfully run after exploiting the injection.

prevent

Restricts unnecessary or high-risk functionality such as the zip compression handler, reducing the attack surface that the public exploit targets.

References