CVE-2026-2333
Published: 20 February 2026
Summary
CVE-2026-2333 is a critical-severity Command Injection (CWE-77) vulnerability in Owlcyberdefense Opds-Talon. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2333, published on 2026-02-20, is a command injection vulnerability (CWE-77) affecting Owl opds version 2.2.0.4. The issue arises from improper neutralization of special elements used in a command, which allows attackers to inject malicious commands via a crafted network request. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.
Remote attackers can exploit this vulnerability over the network with low attack complexity, without requiring authentication, privileges, or user interaction. Successful exploitation enables arbitrary command execution on the affected system, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full system compromise.
Mitigation details are available in the vendor advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7754
Vulnerability details
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated command injection in a network-facing application directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary command execution via T1059 (Command and Scripting Interpreter).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection by requiring validation and neutralization of special elements in crafted network requests.
Requires timely identification, reporting, and patching of the specific command injection flaw in Owl opds 2.2.0.4.
Enforces restrictions on information inputs from network requests to block malicious payloads containing special command elements.