CVE-2019-25441

CRITICAL

thesystem 1.0 - Command Injection

Title source: llm

Description

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

Exploits (1)

exploitdb WORKING POC

by Sadik Cetin · textwebappspython

https://www.exploit-db.com/exploits/47441

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/kostasmitroglou/thesystem

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47441

[Third Party Advisory] https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint

Scores

CVSS v3 9.8

EPSS 0.0336

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status draft

Timeline

Published Feb 20, 2026

Tracked Since Feb 21, 2026