CVE-2022-50691 | THREATINT

Description

MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access.

PUBLISHED Reserved 2025-12-21 | Published 2025-12-30 | Updated 2026-01-12 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Unknown (semver)

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php (Zero Science Lab Disclosure (ZSL-2022-5718)) third-party-advisory

packetstormsecurity.com/files/168749/ (Packet Storm Security Exploit Entry) exploit

www.vulncheck.com/...e-root-command-execution-via-commandssh (VulnCheck Advisory: MiniDVBLinux 5.4 Remote Root Command Execution via commands.sh) third-party-advisory

cve.org (CVE-2022-50691)

nvd.nist.gov (CVE-2022-50691)

Download JSON