CVE-2026-2184
Published: 08 February 2026
Summary
CVE-2026-2184 is a medium-severity Command Injection (CWE-77) vulnerability in Greatdevelopers Certificate. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability has been identified in the Great Developers Certificate Generation System through commit 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. The issue resides in an unspecified portion of the file /restructured/csv.php, where manipulation of the photo argument permits OS command injection. The flaw is tracked under CWE-77 and CWE-78, carries a CVSS 4.0 score of 6.9, and can be triggered remotely; the project follows a rolling release model with no specific version identifiers available, and its repository has shown no activity for several years.
An unauthenticated remote attacker can supply a crafted photo parameter to the affected endpoint and execute arbitrary operating system commands on the underlying server, resulting in limited impacts to confidentiality, integrity, and availability without requiring user interaction or elevated privileges.
Public references, including a detailed disclosure on GitHub and entries in Vuldb, do not describe vendor patches or configuration workarounds. The associated EPSS score rose from a low baseline to a peak of 0.0123 on 2026-02-14 before receding to 0.0007, indicating a temporary increase in exploitation interest shortly after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5766
Vulnerability details
A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This…
more
product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web component (/restructured/csv.php) directly enables remote arbitrary command execution (T1190) via shell interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the photo argument in csv.php to reject malicious input that would otherwise produce OS command injection.
Restricts privileges of the web-server process so that even a successful injection yields only limited OS command effects.
Monitors for anomalous command execution or unexpected child processes spawned by the affected PHP endpoint.