CVE-2026-2533
Published: 16 February 2026
Summary
CVE-2026-2533 is a medium-severity Injection (CWE-74) vulnerability in Yuque (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability has been identified in Tosei Self-service Washing Machine version 4.02. The flaw resides in an unspecified function within the file /cgi-bin/tosei_datasend.php, where improper handling of the adr_txt_1 argument permits arbitrary command execution. The issue is tracked as CVE-2026-2533 and is associated with CWE-74 and CWE-77.
An unauthenticated attacker can exploit the weakness remotely by supplying a crafted value to the affected parameter, resulting in command injection with limited impact on confidentiality, integrity, and availability. Public exploit code has been released, and the CVSS 4.0 score of 6.9 reflects network attack vector, low complexity, and no required privileges or user interaction.
The vendor was notified prior to disclosure but provided no response. The EPSS score remains flat at 0.0218 with no observed increase since publication, indicating limited evidence of emerging exploitation interest at this time.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6128
Vulnerability details
A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely.…
more
The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated command injection in public-facing CGI script directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating and sanitizing the adr_txt_1 input parameter in the vulnerable /cgi-bin/tosei_datasend.php script.
Addresses the root cause by identifying, reporting, and correcting the specific command injection flaw in Tosei Washing Machine 4.02.
Boundary protection mechanisms like web application firewalls can filter and block remote exploitation attempts targeting the publicly disclosed command injection vulnerability.