{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4591", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T11:40:29.907Z", "datePublished": "2026-03-23T15:15:14.996Z", "dateUpdated": "2026-03-23T15:56:36.807Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T15:15:14.996Z"}, "title": "kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "kalcaddle", "product": "kodbox", "versions": [{"version": "1.64", "status": "affected"}], "modules": ["fileThumb Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T12:45:44.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "vulnplusbot (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352427", "name": "VDB-352427 | kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352427", "name": "VDB-352427 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775470", "name": "Submit #775470 | Kodbox 1.64 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vulnplus-note.wetolink.com/share/3ml5XA0firIa", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:56:25.739810Z", "id": "CVE-2026-4591", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:56:36.807Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en kalcaddle kodbox 1.64. Esto afecta a la funci\u00f3n checkBin del archivo /workspace/source-code/plugins/fileThumb/app.PHP del componente fileThumb Endpoint. Ejecutar una manipulaci\u00f3n puede llevar a una inyecci\u00f3n de comandos del sistema operativo. El ataque puede ejecutarse de forma remota. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda usarse para ataques. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4591", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T16:16:52.750", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352427"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352427"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775470"}, {"source": "cna@vuldb.com", "url": "https://vulnplus-note.wetolink.com/share/3ml5XA0firIa"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.64"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kodbox", "source": "cna", "vendor": "kalcaddle"}, "product": "kodbox", "vendor": "kalcaddle"}], "analysis": {"en": {"generated_at": "2026-03-23T16:21:17.007089+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011issued patch or upgrade to a corrected version of kalcaddle kodbox that eliminates the vulnerable checkBin function.", "If a patch is not immediately available, disable or uninstall the fileThumb plugin or block access to the affected endpoint.", "Restrict network traffic to the application by firewall or access\u2011control rules so that only trusted hosts can reach the vulnerable endpoint.", "Continuously monitor web server logs for anomalous request patterns that might indicate attempted command injection attacks."], "summary": {"action": "Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "Vendor kalcaddle\u2019s kodbox platform, specifically version 1.64, contains the fileThumb plugin with the vulnerable checkBin endpoint.", "description_and_impact": "The vulnerability resides in the checkBin function of the fileThumb endpoint in kalcaddle kodbox 1.64, enabling an attacker to inject operating\u2011system commands. The weakness is classified as OS Command Injection (CWE\u201177, CWE\u201178). Successful exploitation allows the attacker to execute arbitrary commands on the target server, potentially compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity, while the EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog. The design of the flaw permits remote exploitation without authentication, and a publicly available exploit has already been released. This combination of remote, unauthenticated access, public exploit, and the potential for arbitrary code execution elevates the practical risk to a significant level for any unpatched system."}}}}, "created": "2026-03-24T10:33:42.145848+00:00", "updated": "2026-03-25T21:27:57.688149+00:00", "vendors": ["kalcaddle", "kalcaddle$PRODUCT$kodbox"]}