Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
AnalysisAI
Command injection in Caesium Image Compressor (all versions through commit 02da2c6) allows local authenticated attackers to execute arbitrary OS commands via unsanitized input to shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp. The vulnerable code uses system() calls without input validation, enabling shell metacharacter injection during post-compression power management operations. Patch available via GitHub PR #376 replacing system() with QProcess::startDetached(). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. No evidence of active exploitation or public POC beyond the researcher's advisory.
Technical ContextAI
This vulnerability affects Caesium Image Compressor, a Qt-based desktop image compression utility. The flaw resides in CWE-77 (Improper Neutralization of Special Elements used in a Command) implementation within PostCompressionActions.cpp. The vulnerable functions invoke platform-specific shutdown/sleep commands using the C standard library system() function, which spawns a shell interpreter to execute commands. On Windows, calls like system("shutdown /s") and system("rundll32.exe powrprof.dll,SetSuspendState 0,1,0") are vulnerable; on Linux/macOS, system("shutdown -h now"), system("pmset sleepnow"), and system("systemctl suspend") exhibit the same weakness. Because system() passes the entire string to a shell (cmd.exe on Windows, /bin/sh on Unix), attackers can inject shell metacharacters (semicolons, pipes, backticks, environment variable expansions) if any part of the command string derives from attacker-controlled input. The PR diff shows the fix replaces all system() invocations with QProcess::startDetached() using explicit argument arrays, which bypasses shell interpretation entirely. The vulnerability is classified as OS Command Injection (the advisory mentions CWE-78 specifically, a child of CWE-77). The affected CPE string cpe:2.3:a:n/a:n/a indicates incomplete vendor/product enumeration in NVD data.
RemediationAI
Update to Caesium Image Compressor versions incorporating the fix from GitHub PR #376 (https://github.com/Lymphatus/caesium-image-compressor/pull/376), which replaces vulnerable system() calls with QProcess::startDetached() using explicit argument arrays. As of this analysis, the patch is merged but a tagged release version containing the fix is not independently confirmed - users should build from the main branch post-merge or await an official release announcement from Lymphatus. The PR diff shows the fix eliminates shell invocation entirely by passing commands and arguments as separate QStringList elements to QProcess, preventing shell metacharacter interpretation. If upgrading is not immediately feasible, disable or restrict access to post-compression power management features (shutdown/sleep actions) within the application settings or via application allow-listing policies. Note that restricting the application's execution privileges (running as a standard user rather than administrator) limits the impact of command injection to user-level access but does not prevent exploitation. For enterprise deployments, consider application control policies that prevent Caesium from invoking system power management commands. The same PR also addresses an API endpoint validation vulnerability (CWE-346), so the update provides defense-in-depth benefits beyond the command injection fix.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26976