CVE-2026-1192
Published: 19 January 2026
Summary
CVE-2026-1192 is a medium-severity Injection (CWE-74) vulnerability in Tosei-Corporation Online Store Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1192 is a command injection vulnerability in Tosei Online Store Management System (ネット店舗管理システム) version 1.01. The flaw resides in an unspecified function within the file /cgi-bin/imode_alldata.php, where unsanitized input to the DevId argument allows arbitrary command execution. It is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 6.9 reflecting network attackability without authentication or user interaction.
Remote, unauthenticated attackers can supply crafted DevId values to execute operating-system commands on the affected system, resulting in limited but direct effects on confidentiality, integrity, and availability. The attack requires no privileges and can be launched over the network, with a publicly available exploit already disclosed.
The vendor was notified prior to publication but provided no response or patch. Public references on Vuldb document the issue and the proof-of-concept submission, while offering no official mitigation guidance; standard defenses such as input validation, web-application firewalls, or restricting access to the CGI endpoint would be required until a fix is released.
The associated EPSS score has risen from a low baseline to a recorded peak of 0.0265, indicating measurable growth in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3492
Vulnerability details
A vulnerability was determined in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed…
more
remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing PHP CGI script directly enables remote exploitation of web apps (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes inputs like the DevId argument to prevent command injection exploitation in the vulnerable PHP script.
Mandates identification, reporting, and timely remediation of the specific command injection flaw in Tosei Online Store Management System version 1.01.
Enforces boundary protection at web interfaces to filter and block malicious DevId payloads targeting the /cgi-bin/imode_alldata.php endpoint.