Cyber Resilience

CVE-2026-2533

Medium

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0218 84.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2533 is a medium-severity Injection (CWE-74) vulnerability in Yuque (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability has been identified in Tosei Self-service Washing Machine version 4.02. The flaw resides in an unspecified function within the file /cgi-bin/tosei_datasend.php, where improper handling of the adr_txt_1 argument permits arbitrary command execution. The issue is tracked as CVE-2026-2533 and is associated with CWE-74 and CWE-77.

An unauthenticated attacker can exploit the weakness remotely by supplying a crafted value to the affected parameter, resulting in command injection with limited impact on confidentiality, integrity, and availability. Public exploit code has been released, and the CVSS 4.0 score of 6.9 reflects network attack vector, low complexity, and no required privileges or user interaction.

The vendor was notified prior to disclosure but provided no response. The EPSS score remains flat at 0.0218 with no observed increase since publication, indicating limited evidence of emerging exploitation interest at this time.

EU & UK References

Vulnerability details

A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely.…

more

The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote unauthenticated command injection in public-facing CGI script directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2194Shared CWE-74, CWE-77
CVE-2026-2218Shared CWE-74, CWE-77
CVE-2026-5103Shared CWE-74, CWE-77
CVE-2026-4203Shared CWE-74, CWE-77
CVE-2026-2135Shared CWE-74, CWE-77
CVE-2026-3661Shared CWE-74, CWE-77
CVE-2026-2615Shared CWE-74, CWE-77
CVE-2026-4207Shared CWE-74, CWE-77
CVE-2025-10628Shared CWE-74, CWE-77
CVE-2026-5333Shared CWE-74, CWE-77

Affected Assets

Yuque
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing the adr_txt_1 input parameter in the vulnerable /cgi-bin/tosei_datasend.php script.

prevent

Addresses the root cause by identifying, reporting, and correcting the specific command injection flaw in Tosei Washing Machine 4.02.

preventdetect

Boundary protection mechanisms like web application firewalls can filter and block remote exploitation attempts targeting the publicly disclosed command injection vulnerability.

References