CVE-2019-25441

CRITICAL

thesystem 1.0 - Unauthenticated OS Command Injection via run_command Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25441. PoCs published by Sadik Cetin.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in 'thesystem' (version 1.0) via a POST request to the '/run_command/' endpoint. The vulnerability allows arbitrary command execution due to lack of proper input sanitization and authentication bypass.

Description

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

Exploits (1)

exploitdb WORKING POC
by Sadik Cetin · textwebappspython
https://www.exploit-db.com/exploits/47441

This exploit demonstrates a command injection vulnerability in 'thesystem' (version 1.0) via a POST request to the '/run_command/' endpoint. The vulnerability allows arbitrary command execution due to lack of proper input sanitization and authentication bypass.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: thesystem 1.0
No auth needed
Prerequisites: Network access to the target application · Application running on port 8000
devstral-2 · analyzed Feb 21, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0850
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
kostasmitroglou/thesystem 1.0.0
kostasmitroglou/thesystem 1.0
Published Feb 20, 2026
Tracked Since Feb 21, 2026