CVE-2026-2956 in dst-admin
Summary
by MITRE • 02/23/2026
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/27/2026
This vulnerability exists in the qinming99 dst-admin application version 1.5.0 and earlier, specifically within the revertBackup function located in the /home/restore file. The flaw represents a critical command injection vulnerability that allows remote attackers to execute arbitrary commands on the affected system. The vulnerability is triggered when the Name argument is manipulated, which then gets processed without proper input sanitization or validation, creating an exploitable path for malicious actors to gain unauthorized access to the underlying system. This type of vulnerability falls under CWE-77 and CWE-94 categories, representing command injection and code injection respectively, which are fundamental security weaknesses that enable attackers to execute arbitrary code with the privileges of the affected application.
The remote exploitability of this vulnerability significantly increases its threat level, as attackers can leverage this weakness from external networks without requiring physical access or prior authentication. The fact that public exploits have been released indicates that this vulnerability is actively being used in the wild, making it a pressing security concern for organizations that have not yet patched their systems. Attackers can manipulate the Name parameter to inject malicious commands that will be executed by the system, potentially leading to complete system compromise, data exfiltration, or further lateral movement within the network. This vulnerability directly maps to ATT&CK technique T1059.001 for command and script injection, and T1068 for exploit for privilege escalation.
The operational impact of this vulnerability extends beyond simple command execution, as successful exploitation can lead to persistent backdoors, data theft, and system-wide compromise. Organizations using this application version are at risk of unauthorized access, system manipulation, and potential regulatory compliance violations. The lack of vendor response to early disclosure attempts compounds the severity of this situation, leaving users without official patches or mitigation guidance during an active threat period. The vulnerability represents a critical gap in the application's input validation mechanisms, where user-supplied data flows directly into system commands without proper sanitization, creating an attack surface that adversaries can readily exploit.
Organizations should immediately implement network-based mitigations including firewall rules that restrict access to the affected application and its endpoints, while also considering temporary disabling of the revertBackup functionality until a proper patch can be deployed. The recommended remediation involves upgrading to a patched version of the qinming99 dst-admin application or implementing strict input validation and sanitization measures to prevent command injection attacks. Additionally, organizations should conduct comprehensive security assessments to identify other potential command injection vulnerabilities within their application landscape. The implementation of web application firewalls and input validation controls can provide immediate protection while longer-term patches are deployed, following security best practices outlined in NIST SP 800-160 and OWASP Top Ten security frameworks.