CVE-2026-58455
Published: 02 July 2026
Summary
CVE-2026-58455 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-41405
Vulnerability details
Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers…
more
can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection in public-facing web app (CWE-78) directly enables remote exploitation via T1190 and arbitrary Unix shell command execution via shell_exec().
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (composePath POST parameter) before it reaches shell_exec().
Enforces proper authentication and authorization checks before permitting any action, blocking the incomplete redirect bypass in loader.php.
Limits privileges of the web process and restricts unnecessary Docker socket exposure that enables full host compromise after injection succeeds.