Cyber Resilience

CVE-2026-1192

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0182 83.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1192 is a medium-severity Injection (CWE-74) vulnerability in Tosei-Corporation Online Store Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1192 is a command injection vulnerability in Tosei Online Store Management System (ネット店舗管理システム) version 1.01. The flaw resides in an unspecified function within the file /cgi-bin/imode_alldata.php, where unsanitized input to the DevId argument allows arbitrary command execution. It is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 6.9 reflecting network attackability without authentication or user interaction.

Remote, unauthenticated attackers can supply crafted DevId values to execute operating-system commands on the affected system, resulting in limited but direct effects on confidentiality, integrity, and availability. The attack requires no privileges and can be launched over the network, with a publicly available exploit already disclosed.

The vendor was notified prior to publication but provided no response or patch. Public references on Vuldb document the issue and the proof-of-concept submission, while offering no official mitigation guidance; standard defenses such as input validation, web-application firewalls, or restricting access to the CGI endpoint would be required until a fix is released.

The associated EPSS score has risen from a low baseline to a recorded peak of 0.0265, indicating measurable growth in exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability was determined in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed…

more

remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing PHP CGI script directly enables remote exploitation of web apps (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2944Same product: Tosei-Corporation Online Store Management System
CVE-2026-2194Shared CWE-74, CWE-77
CVE-2026-2218Shared CWE-74, CWE-77
CVE-2026-5103Shared CWE-74, CWE-77
CVE-2026-4203Shared CWE-74, CWE-77
CVE-2026-2135Shared CWE-74, CWE-77
CVE-2026-3661Shared CWE-74, CWE-77
CVE-2026-2615Shared CWE-74, CWE-77
CVE-2026-4207Shared CWE-74, CWE-77
CVE-2025-10628Shared CWE-74, CWE-77

Affected Assets

tosei-corporation
online store management system
1.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes inputs like the DevId argument to prevent command injection exploitation in the vulnerable PHP script.

prevent

Mandates identification, reporting, and timely remediation of the specific command injection flaw in Tosei Online Store Management System version 1.01.

prevent

Enforces boundary protection at web interfaces to filter and block malicious DevId payloads targeting the /cgi-bin/imode_alldata.php endpoint.

References