Skip to main content

Caesium Image Compressor CVE-2026-36365

| EUVDEUVD-2026-26976 HIGH
Command Injection (CWE-77)
2026-05-04 mitre
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
May 05, 2026 - 16:23 vuln.today
Analysis Generated
May 05, 2026 - 16:23 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
7.8 (HIGH)
EUVD ID Assigned
May 04, 2026 - 16:00 euvd
EUVD-2026-26976
CVE Published
May 04, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp

AnalysisAI

Command injection in Caesium Image Compressor (all versions through commit 02da2c6) allows local authenticated attackers to execute arbitrary OS commands via unsanitized input to shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp. The vulnerable code uses system() calls without input validation, enabling shell metacharacter injection during post-compression power management operations. Patch available via GitHub PR #376 replacing system() with QProcess::startDetached(). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. No evidence of active exploitation or public POC beyond the researcher's advisory.

Technical ContextAI

This vulnerability affects Caesium Image Compressor, a Qt-based desktop image compression utility. The flaw resides in CWE-77 (Improper Neutralization of Special Elements used in a Command) implementation within PostCompressionActions.cpp. The vulnerable functions invoke platform-specific shutdown/sleep commands using the C standard library system() function, which spawns a shell interpreter to execute commands. On Windows, calls like system("shutdown /s") and system("rundll32.exe powrprof.dll,SetSuspendState 0,1,0") are vulnerable; on Linux/macOS, system("shutdown -h now"), system("pmset sleepnow"), and system("systemctl suspend") exhibit the same weakness. Because system() passes the entire string to a shell (cmd.exe on Windows, /bin/sh on Unix), attackers can inject shell metacharacters (semicolons, pipes, backticks, environment variable expansions) if any part of the command string derives from attacker-controlled input. The PR diff shows the fix replaces all system() invocations with QProcess::startDetached() using explicit argument arrays, which bypasses shell interpretation entirely. The vulnerability is classified as OS Command Injection (the advisory mentions CWE-78 specifically, a child of CWE-77). The affected CPE string cpe:2.3:a:n/a:n/a indicates incomplete vendor/product enumeration in NVD data.

RemediationAI

Update to Caesium Image Compressor versions incorporating the fix from GitHub PR #376 (https://github.com/Lymphatus/caesium-image-compressor/pull/376), which replaces vulnerable system() calls with QProcess::startDetached() using explicit argument arrays. As of this analysis, the patch is merged but a tagged release version containing the fix is not independently confirmed - users should build from the main branch post-merge or await an official release announcement from Lymphatus. The PR diff shows the fix eliminates shell invocation entirely by passing commands and arguments as separate QStringList elements to QProcess, preventing shell metacharacter interpretation. If upgrading is not immediately feasible, disable or restrict access to post-compression power management features (shutdown/sleep actions) within the application settings or via application allow-listing policies. Note that restricting the application's execution privileges (running as a standard user rather than administrator) limits the impact of command injection to user-level access but does not prevent exploitation. For enterprise deployments, consider application control policies that prevent Caesium from invoking system power management commands. The same PR also addresses an API endpoint validation vulnerability (CWE-346), so the update provides defense-in-depth benefits beyond the command injection fix.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-36365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy