CVE-2026-2544
Published: 16 February 2026
Summary
CVE-2026-2544 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in yued-fe LuLu UI up to version 3.0.0, specifically in the child_process.exec function within the run.js file. The issue stems from improper handling of input that enables OS command injection, tracked under CWE-77 and CWE-78. The vulnerability is remotely exploitable without authentication or user interaction, carrying a CVSS 4.0 score of 6.9.
An attacker can supply crafted input to the affected function over the network to execute arbitrary operating system commands on the host running the application. Successful exploitation grants limited control over confidentiality, integrity, and availability of the target system, though the precise impact depends on the privileges of the process executing run.js.
The vendor was notified prior to disclosure but provided no response or patch. Public references consist of a GitHub proof-of-concept and VulDB entries, with no mitigation guidance or fixed release identified. The EPSS score remains flat at 0.0218 with no observed increase since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6119
Vulnerability details
A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted…
more
early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in remotely accessible Node.js child_process.exec directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote access and T1059 (Command and Scripting Interpreter) for arbitrary OS command execution with the process privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation and sanitization of inputs to the child_process.exec function in run.js.
Mitigates the vulnerability by restricting or prohibiting non-essential functions like child_process.exec, minimizing the attack surface in LuLu UI.
Addresses the specific flaw in run.js through timely identification, reporting, and remediation, including workarounds since no vendor patch exists.