{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2333", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "state": "PUBLISHED", "assignerShortName": "Nozomi", "dateReserved": "2026-02-11T09:59:52.482Z", "datePublished": "2026-02-20T16:48:34.348Z", "dateUpdated": "2026-02-20T23:04:22.532Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "opds", "vendor": "Owl", "versions": [{"lessThanOrEqual": "2.2.0.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.<br>"}], "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:48:34.348Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:58:47.127682Z", "id": "CVE-2026-2333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T23:04:22.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T17:58:47.127682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:59:02.884Z"}}], "cna": {"title": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Owl", "product": "opds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:48:34.348Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2333", "state": "PUBLISHED", "dateUpdated": "2026-02-20T23:04:22.532Z", "dateReserved": "2026-02-11T09:59:52.482Z", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "datePublished": "2026-02-20T16:48:34.348Z", "assignerShortName": "Nozomi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*", "matchCriteriaId": "76B6558D-D323-40D3-99A7-909C24D49951", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA72CA3A-BE76-49B0-A670-3EB19D29333D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request."}, {"lang": "es", "value": "Neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando ('Inyecci\u00f3n de comandos') en Owl opds 2.2.0.4 permite la inyecci\u00f3n de comandos a trav\u00e9s de una solicitud de red manipulada."}], "id": "CVE-2026-2333", "lastModified": "2026-02-26T23:10:43.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "prodsec@nozominetworks.com", "type": "Secondary"}]}, "published": "2026-02-20T17:25:57.570", "references": [{"source": "prodsec@nozominetworks.com", "tags": ["Broken Link"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333"}], "sourceIdentifier": "prodsec@nozominetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "prodsec@nozominetworks.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "opds", "source": "cna", "vendor": "Owl"}, "product": "opds", "vendor": "owl"}], "analysis": {"en": {"generated_at": "2026-04-17T17:21:12.247161+00:00", "value": {"mitigation_remediation": ["Update Owl opds to the latest patched version once released by the vendor.", "Restrict network access to the opds service by allowing traffic only from trusted IP addresses or within a secured internal network.", "Monitor system logs for unexpected command executions and deploy intrusion detection to flag suspicious activity."], "summary": {"action": "Patch ASAP", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Affected products include Owl CyberDefense opds as indicated by the CPE entries for opds\u20111000, opds\u2011100, and the specific 2.2.0.4 release of opds\u2011talon. Administrators should verify whether their deployment matches any of these identifiers to determine applicability.", "description_and_impact": "A flaw in Owl CyberDefense opds 2.2.0.4 allows an attacker to inject and execute arbitrary commands through a crafted network request. This command injection results from improper neutralization of special elements used in command construction, giving attackers total control over the host, compromising confidentiality, integrity, and availability. The weakness is a classic Command Injection classified as CWE\u201177.", "risk_and_exploitability": "The vulnerability carries a CVSS v3.1 score of 9.2, indicating critical severity. The EPSS score is less than 1%, suggesting a low current exploitation probability, yet the flaw is not yet listed in the CISA KEV catalog, meaning it could still be actively leveraged by skilled threat actors. The attack vector is remote over the network, requiring a crafted request directed at the opds service, which, if successful, grants attacker system\u2011level execution privileges."}}}}, "created": "2026-02-23T14:35:37.012625+00:00", "updated": "2026-04-17T17:30:23.858161+00:00", "vendors": ["owl", "owl$PRODUCT$opds"]}