Cyber Resilience

CVE-2026-2944

MediumPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0374 88.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2944 is a medium-severity Command Injection (CWE-77) vulnerability in Tosei-Corporation Online Store Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2944 is an OS command injection vulnerability in the Tosei Online Store Management System (ネット店舗管理システム) version 1.01. The flaw affects the /cgi-bin/monitor.php file within the HTTP POST Request Handler component, where manipulation of the DevId argument enables arbitrary command execution. Mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers sending a specially crafted HTTP POST request with a malicious DevId value, triggering OS command injection on the server. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing arbitrary commands to gather information, modify data, or disrupt services, depending on the attacker's privileges and system configuration.

Advisories from VulDB (ctiid.347314, id.347314, submit.754579) and a GitHub issue (CVE-Hunter-Leo/CVE/issues/9) detail the vulnerability, including a publicly released exploit. No patches or vendor responses are available, as the vendor was notified early but did not reply; practitioners should isolate or decommission affected systems and monitor for anomalous POST requests to /cgi-bin/monitor.php.

Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed instances of this management system.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os…

more

command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE-2026-2944 enables unauthenticated remote exploitation of a public-facing web application (/cgi-bin/monitor.php) via OS command injection in the DevId parameter, directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1192Same product: Tosei-Corporation Online Store Management System
CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78

Affected Assets

tosei-corporation
online store management system
1.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the DevId argument in HTTP POST requests to /cgi-bin/monitor.php.

preventrecover

SI-2 mandates timely identification, reporting, and remediation of flaws such as this unpatched command injection vulnerability, potentially through patching, isolation, or decommissioning.

preventdetect

SC-7 provides boundary protection via web application firewalls or proxies to filter and block malicious POST requests targeting the vulnerable /cgi-bin/monitor.php endpoint.

References