Cyber Resilience

CVE-2026-2333

CriticalRCE

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 59.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2333 is a critical-severity Command Injection (CWE-77) vulnerability in Owlcyberdefense Opds-Talon. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2333, published on 2026-02-20, is a command injection vulnerability (CWE-77) affecting Owl opds version 2.2.0.4. The issue arises from improper neutralization of special elements used in a command, which allows attackers to inject malicious commands via a crafted network request. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity, without requiring authentication, privileges, or user interaction. Successful exploitation enables arbitrary command execution on the affected system, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full system compromise.

Mitigation details are available in the vendor advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated command injection in a network-facing application directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26093Same product: Owlcyberdefense Opds-100
CVE-2026-26102Same product: Owlcyberdefense Opds-100
CVE-2026-26101Same product: Owlcyberdefense Opds-100
CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77
CVE-2025-67728Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2024-54794Shared CWE-77

Affected Assets

owlcyberdefense
opds-talon
2.2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation and neutralization of special elements in crafted network requests.

prevent

Requires timely identification, reporting, and patching of the specific command injection flaw in Owl opds 2.2.0.4.

prevent

Enforces restrictions on information inputs from network requests to block malicious payloads containing special command elements.

References