CVE-2026-2944
Published: 22 February 2026
Summary
CVE-2026-2944 is a medium-severity Command Injection (CWE-77) vulnerability in Tosei-Corporation Online Store Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2944 is an OS command injection vulnerability in the Tosei Online Store Management System (ネット店舗管理システム) version 1.01. The flaw affects the /cgi-bin/monitor.php file within the HTTP POST Request Handler component, where manipulation of the DevId argument enables arbitrary command execution. Mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers sending a specially crafted HTTP POST request with a malicious DevId value, triggering OS command injection on the server. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands to gather information, modify data, or disrupt services, depending on the attacker's privileges and system configuration.
Advisories from VulDB (ctiid.347314, id.347314, submit.754579) and a GitHub issue (CVE-Hunter-Leo/CVE/issues/9) detail the vulnerability, including a publicly released exploit. No patches or vendor responses are available, as the vendor was notified early but did not reply; practitioners should isolate or decommission affected systems and monitor for anomalous POST requests to /cgi-bin/monitor.php.
Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed instances of this management system.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7688
Vulnerability details
A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os…
more
command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-2944 enables unauthenticated remote exploitation of a public-facing web application (/cgi-bin/monitor.php) via OS command injection in the DevId parameter, directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the DevId argument in HTTP POST requests to /cgi-bin/monitor.php.
SI-2 mandates timely identification, reporting, and remediation of flaws such as this unpatched command injection vulnerability, potentially through patching, isolation, or decommissioning.
SC-7 provides boundary protection via web application firewalls or proxies to filter and block malicious POST requests targeting the vulnerable /cgi-bin/monitor.php endpoint.