Cyber Resilience

CVE-2026-2956

MediumPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0471 90.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2956 is a medium-severity Injection (CWE-74) vulnerability in Dst-Admin Project Dst-Admin. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2956 is a command injection vulnerability (CWE-74, CWE-77) affecting qinming99 dst-admin versions up to 1.5.0. The issue lies in the revertBackup function of the /home/restore file, where manipulation of the Name argument allows attackers to inject and execute arbitrary commands.

The vulnerability enables remote exploitation (AV:N) with low attack complexity (AC:L) and requires low privileges (PR:L) but no user interaction (UI:N), with unchanged scope (S:U). Successful exploitation results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3.

Advisories from VULDB note that the vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available. An exploit has been publicly released, heightening the potential for real-world attacks. Relevant references include https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylink, https://vuldb.com/?ctiid.347323, https://vuldb.com/?id.347323, and https://vuldb.com/?submit.754508.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has…

more

been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE-2026-2956 is a command injection vulnerability in a public-facing web application (/home/restore endpoint), directly enabling T1190 (Exploit Public-Facing Application). It facilitates arbitrary remote command execution, mapping to T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2957Same product: Dst-Admin Project Dst-Admin
CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2025-15132Shared CWE-74, CWE-77
CVE-2026-8344Shared CWE-74, CWE-77
CVE-2026-7058Shared CWE-74, CWE-77
CVE-2025-8752Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77

Affected Assets

dst-admin project
dst-admin
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing the Name argument in the revertBackup function before command execution.

prevent

Establishes processes to identify, assess, and remediate flaws like this unpatched command injection in dst-admin up to 1.5.0.

prevent

Reduces impact of exploited command injection by enforcing least privilege on the low-privilege account required for remote access.

References