CVE-2019-25441 CRITICAL

CVE-2019-25441: thesystem 1.0 Command Injection via run_command endpoint

Vendor Kostasmitroglou
Product thesystem
Weakness CWE-78
Published February 20, 2026
Last update April 7, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-54074 Cherry Studio is Vulnerable to OS Command Injection during Connection with a Malicious MCP Server CVE-2024-30314 Dreamweaver Desktop | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) CVE-2022-33150 CVE-2012-10046 E-Mail Security Virtual Appliance learn-msg.cgi Command Injection CVE-2023-34277 D-Link DIR-2150 SetSysEmailSettings AccountName Command Injection Remote Code Execution Vulnerability