How is CVE-2026-50874 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Reminiscence service via HTTP to deliver the crafted input. Authentication (required): Any low-privilege account with access to the /manage/features/media endpoint is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker submits a crafted request directly to the server; no action from another user is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-50874?

An attacker can execute arbitrary OS commands on the host running Reminiscence, gaining the same system-level access as the application process. Confidential data accessible to that process, including stored credentials, session tokens, and application files, can be read directly. An attacker can modify or overwrite files, configuration, and persisted application data on the host.

Back to search

HIGHCVE-2026-50874Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50874: An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0

An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the /manage/features/media component of kanishka-linux Reminiscence v0.3.0. The flaw is reachable over the network by any authenticated low-privilege user who can craft a malicious input to that endpoint, triggering execution of arbitrary operating system commands on the host. Successful exploitation gives an attacker full read access to sensitive data and the ability to modify files or system state. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-50874 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Reminiscence v0.3.0. Affected images surfaced in any registry or CI pipeline connected to HarborGuard are flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-50874, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment kanishka-linux ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Reminiscence service via HTTP to deliver the crafted input.
AuthenticationRequired
Any low-privilege account with access to the /manage/features/media endpoint is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker submits a crafted request directly to the server; no action from another user is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker can execute arbitrary OS commands on the host running Reminiscence, gaining the same system-level access as the application process.
Confidential data accessible to that process, including stored credentials, session tokens, and application files, can be read directly.
An attacker can modify or overwrite files, configuration, and persisted application data on the host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix exists yet. In the meantime, customers can apply compensating controls through HarborGuard network policies, such as restricting ingress to the /manage/features/media endpoint to known-good IP ranges, enabling egress filtering to limit post-exploitation lateral movement, and using feature-flag gating to disable the media management component if it is not operationally required. The moment kanishka-linux publishes a fix, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will follow automatically, with median time from CVE fix publication to merged patch PR for high-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

gist.github.com

Metrics

Get notified